Support trusted publishing (OIDC)

[robvanderleek]

Thanks for maintaining this action.

Since npmjs is changing authentication and token management, is it possible to support trusted publishing via OIDC?

Trusted publishing is supported in the latest semantic-release version, and there's already a PR for it.

[G-Rath]

@robvanderleek I don't think that PR needs landing for OIDC since you can specify a specific version of semantic-release - there could be other changes, but I think what needs to happen is for someone to try just using OIDC with this action and reporting back what happens.

(I'd do that but I don't have anything that needs publishing for the codebases that use this action 😬)

[robvanderleek]

Hi @G-Rath

Thanks for pointing me to the version override option.
I have a package that requires trusted publishing.
First try with this override failed, but that was due to a missing entry in package.json.
Second try succeeded 🚀

Let me know if there's anything else I need to try, otherwise this issue can be closed.

[ValeryG]

until this PR is merged, the only way I found to make it working is to specify sematic-relelase version as a param:

      - name: Semantic Release
        id: semantic_release
        uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2
        with:
          semantic_version: 25.0.1

would be great if PR is merged soon ...

[nickredmark]

thanks for the hints, I tried to update our workflow like this, but now it can't connect to github

name: Release npm package
on:
  push:
    branches:
      - 'main'
      - 'next'

permissions:
  id-token: write # Required for OIDC
  contents: read

jobs:
  release:
    name: build and release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          submodules: true
      - uses: actions/setup-node@v6
        with:
          node-version: 24
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - run: npm run build
      - name: semantic release
        uses: cycjimmy/semantic-release-action@v6
        with:
          semantic_version: 25
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

error

[11:49:45 AM] [semantic-release] › ✔  Run automated release from branch next on repository https://github.com/XXX/XXX
[11:49:45 AM] [semantic-release] › ✘  The command "git push --dry-run --no-verify https://x-access-token:[secure]@github.com/XXX/XXX HEAD:next" failed with the error message remote: Permission to XXX/XXX.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/XXX/XXX/': The requested URL returned error: 403.
[11:49:45 AM] [semantic-release] › ℹ  Start step "fail" of plugin "@semantic-release/github"
[11:49:45 AM] [semantic-release] [@semantic-release/github] › ℹ  Verify GitHub authentication (https://api.github.com/)
[11:49:46 AM] [semantic-release] › ✘  Failed step "fail" of plugin "@semantic-release/github"
[11:49:46 AM] [semantic-release] › ✘  An error occurred while running semantic-release: Error: Variable $owner of type String! was provided invalid value
    at file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/node_modules/aggregate-error/index.js:23:26
    at Array.map (<anonymous>)
    at new AggregateError (file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/node_modules/aggregate-error/index.js:16:19)
    at file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/lib/plugins/pipeline.js:55:13
    at async pluginsConfigAccumulator.<computed> [as fail] (file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/lib/plugins/index.js:87:11)
    at async callFail (file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/index.js:252:7)
    at async Module.default (file:///home/runner/work/_actions/cycjimmy/semantic-release-action/v6/node_modules/semantic-release/index.js:282:7)
    at async release (/home/runner/work/_actions/cycjimmy/semantic-release-action/v6/src/index.js:36:18) {
  extensions: { value: [ 'semantic-release' ], problems: [ [Object] ] },
  locations: [ { line: 2, column: 21 } ],
  pluginName: '@semantic-release/github'
}
[11:49:46 AM] [semantic-release] › ✘  EGITNOPERMISSION Cannot push to the Git repository.
semantic-release cannot push the version tag to the branch next on the remote Git repository with URL https://x-access-token:[secure]@github.com/XXX/XXX.

Edit: Fixed it, more permissions were needed, as documented here: https://github.com/semantic-release/npm?tab=readme-ov-file#trusted-publishing-from-github-actions

permissions:
  contents: write # to be able to publish a GitHub release
  issues: write # to be able to comment on released issues
  pull-requests: write # to be able to comment on released pull requests
  id-token: write # to enable use of OIDC for trusted publishing and npm provenance