Skip to content

feat: migrate npm publish workflows to OIDC trusted publisher #1271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ChiragAgg5k merged 1 commit into from
Dec 24, 2025
+38 −28
Merged

feat: migrate npm publish workflows to OIDC trusted publisher #1271

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions templates/cli/.github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
name: Publish Package to npmjs

on:
release:
types: [published]

permissions:
id-token: write
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indentation for 'id-token: write' is incorrect. It should be aligned with 'contents:' on line 9. The property should start at column 3 (2 spaces of indentation) to match the YAML structure for the permissions block.

Suggested change
id-token: write
id-token: write

Copilot uses AI. Check for mistakes.
contents: read

jobs:
build-for-linux-and-windows:
build-and-publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '16.x'
node-version: '22'
registry-url: 'https://registry.npmjs.org'
- name: Setup binfmt with QEMU
run: |
Expand All @@ -22,9 +28,9 @@ jobs:
cd ./ldid
sudo make
sudo make install
- name: Install dependenices and build for Linux and Windows
- name: Install dependencies and build for Linux and Windows
run: |
npm install
npm ci
npm run linux-x64
npm run linux-arm64
npm run windows-x64
Expand All @@ -35,13 +41,11 @@ jobs:
run: |
if ${{ contains(github.event.release.tag_name, '-rc') }}; then
echo "Publishing Release Candidate ${{ github.event.release.tag_name}} to NPM"
npm publish --tag next
npm publish --provenance --access public --tag next
else
echo "Publishing ${{ github.event.release.tag_name}} to NPM"
npm publish
npm publish --provenance --access public
fi
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_NO_ORG }}
- uses: fnkr/github-action-ghr@v1
env:
GHR_PATH: build/
Expand Down
14 changes: 8 additions & 6 deletions templates/node/.github/workflows/publish.yml.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types: [published]
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
publish:
runs-on: ubuntu-latest
Expand All @@ -16,7 +20,7 @@ jobs:
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
node-version: '22'
registry-url: 'https://registry.npmjs.org'

# Determine release tag based on the tag name
Expand All @@ -29,14 +33,12 @@ jobs:
echo "tag=latest" >> "$GITHUB_OUTPUT"
fi

# Install dependencies (if any) and build your project (if necessary)
# Install dependencies and build
- name: Install dependencies and build
run: |
npm install
npm ci
npm run build

# Publish to NPM with the appropriate tag
- name: Publish
run: npm publish --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
env:
NODE_AUTH_TOKEN: ${{ '{{' }} secrets.NPM_TOKEN_NO_ORG {{ '}}' }}
run: npm publish --provenance --access public --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
14 changes: 8 additions & 6 deletions templates/react-native/.github/workflows/publish.yml.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types: [published]
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
publish:
runs-on: ubuntu-latest
Expand All @@ -16,7 +20,7 @@ jobs:
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
node-version: '22'
registry-url: 'https://registry.npmjs.org'

# Determine release tag based on the tag name
Expand All @@ -29,14 +33,12 @@ jobs:
echo "tag=latest" >> "$GITHUB_OUTPUT"
fi

# Install dependencies (if any) and build your project (if necessary)
# Install dependencies and build
- name: Install dependencies and build
run: |
npm install
npm ci
npm run build

# Publish to NPM with the appropriate tag
- name: Publish
run: npm publish --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
env:
NODE_AUTH_TOKEN: ${{ '{{' }} secrets.NPM_TOKEN_NO_ORG {{ '}}' }}
run: npm publish --provenance --access public --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
14 changes: 8 additions & 6 deletions templates/web/.github/workflows/publish.yml.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types: [published]
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
publish:
runs-on: ubuntu-latest
Expand All @@ -16,7 +20,7 @@ jobs:
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
node-version: '22'
registry-url: 'https://registry.npmjs.org'

# Determine release tag based on the tag name
Expand All @@ -29,14 +33,12 @@ jobs:
echo "tag=latest" >> "$GITHUB_OUTPUT"
fi

# Install dependencies (if any) and build your project (if necessary)
# Install dependencies and build
- name: Install dependencies and build
run: |
npm install
npm ci
npm run build

# Publish to NPM with the appropriate tag
- name: Publish
run: npm publish --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
env:
NODE_AUTH_TOKEN: ${{ '{{' }} secrets.NPM_TOKEN_NO_ORG {{ '}}' }}
run: npm publish --provenance --access public --tag ${{ '{{' }} steps.release_tag.outputs.tag {{ '}}' }}
Loading