Skip to content

Prepare NPM trusted publishing #2792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Apollon77 merged 1 commit into from
Dec 8, 2025
Merged

Prepare NPM trusted publishing #2792

Apollon77 merged 1 commit into from
Dec 8, 2025

Conversation

@Apollon77
Copy link
Collaborator

@Apollon77 Apollon77 commented Dec 6, 2025

This PR adjusts the GHA we use to publish the npmjs packages for NPM Trusted publishing.

Please do not set to automerge. I will merge once I finished the setup for all packages on npm.

Note: For the future we need to publish new packages once manually in order to configure them for trusted publishing.

Docs: https://docs.npmjs.com/trusted-publishers/#configuring-trusted-publishing

@Apollon77
Prepare NPM trusted publishing
ac62237 
This PR adjusts the GHA we use to publish the npmjs packages for NPM Trusted publishing.

Please do not set to automeerge. I will merge once I finished the setup fpr all packages on npm.

Note: For the future we need to publish new packages once manually in order to configure them for trusted publishing.
Copilot AI review requested due to automatic review settings December 6, 2025 19:32
@Apollon77 Apollon77 requested a review from lauckhart as a code owner December 6, 2025 19:32
Copilot AI reviewed Dec 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR configures the GitHub Actions workflow to use NPM trusted publishing, which uses OpenID Connect (OIDC) authentication instead of manual NPM tokens. The changes add the required OIDC permission, remove the legacy token-based authentication, and upgrade npm to ensure compatibility with trusted publishing features.

Key Changes:

  • Adds id-token: write permission for OIDC authentication
  • Removes manual NPM_TOKEN authentication and npm whoami verification
  • Upgrades npm to the latest version before publishing
Comments suppressed due to low confidence (1)

.github/workflows/release-npm.yml:129

  • When using NPM trusted publishing with OIDC, the --provenance flag should be added to npm publish commands to generate provenance attestations. This provides transparency about where and how the package was built.

Add --provenance to both publish commands:

npm publish --workspaces --tag dev --provenance

and

npm publish --workspaces --provenance

Reference: https://docs.npmjs.com/generating-provenance-statements

            npm publish --workspaces --tag dev
          else
            npm publish --workspaces

@Apollon77 Apollon77 merged commit b8ee968 into main Dec 8, 2025
42 checks passed
@Apollon77 Apollon77 deleted the prep-trusted-publishing branch December 8, 2025 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lauckhart lauckhart lauckhart approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Apollon77 @lauckhart