Skip to content

Publish to npm via OIDC trusted publishing#148

Merged
gaojude merged 1 commit into
mainfrom
release-oidc-trusted-publishing
Jun 24, 2026
Merged

Publish to npm via OIDC trusted publishing#148
gaojude merged 1 commit into
mainfrom
release-oidc-trusted-publishing

Conversation

@gaojude

@gaojude gaojude commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

The release workflow authenticated with the long-lived NPM_TOKEN_ELEVATED secret, which infra no longer issues — publishing now 403s. Switches release.yml to npm trusted publishing: OIDC against the trusted publisher configured for this repo, no stored token. id-token: write was already granted, so this drops NODE_AUTH_TOKEN, bumps Node to 22 and npm to latest (OIDC needs npm >= 11.5.1), and publishes with npm publish since pnpm@9.15.9 can't do the OIDC exchange. Provenance is now automatic.

@gaojude gaojude requested a review from aurorascharff June 24, 2026 22:42
@gaojude gaojude merged commit 95794e0 into main Jun 24, 2026
4 checks passed
@gaojude gaojude deleted the release-oidc-trusted-publishing branch June 24, 2026 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants