Skip to content

Commit 35371d8

Browse files
sirdeggensirdeggen
committed
ci: switch npm auth to OIDC provenance, remove NPM_TOKEN
1 parent c176576 commit 35371d8

1 file changed

Lines changed: 9 additions & 4 deletions

File tree

.github/workflows/release.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
runs-on: ubuntu-latest
1212
permissions:
1313
contents: read
14-
id-token: write # for npm provenance
14+
id-token: write # required for npm OIDC provenance
1515

1616
steps:
1717
- uses: actions/checkout@v4
@@ -33,6 +33,11 @@ jobs:
3333
run: pnpm -r run build
3434

3535
- name: Publish changed packages
36-
run: pnpm -r --filter='...[origin/main]' publish --access public --no-git-checks
37-
env:
38-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
36+
# No token needed — npm authenticates via GitHub OIDC.
37+
# Each package must have this repo configured as a trusted publisher
38+
# on npmjs.org: package settings → Publishing → Add trusted publisher
39+
# Owner: bsv-blockchain
40+
# Repository: ts-stack
41+
# Workflow: release.yml
42+
# Environment: (leave blank)
43+
run: pnpm -r --filter='...[origin/main]' publish --access public --no-git-checks --provenance

0 commit comments

Comments
 (0)