From f5aa085e80779f66c8bb1da2cdd72fcc049e3409 Mon Sep 17 00:00:00 2001 From: Nicolas Dupont Date: Mon, 12 Jan 2026 17:11:30 +0100 Subject: [PATCH] Fix npm OIDC auth with push trigger Empirical observation: the workflow succeeds with "on: push" but fails with "on: pull_request_target". This suggests npm's OIDC validation may not support the pull_request subject claim format, though this isn't explicitly documented by npm. This change is safe because `main` is protected and only accepts PR merges (except OTA-Release-bot for automated release commits). The changelog validation logic also prevents accidental releases. --- .github/workflows/release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dad5b3e82..b4b8da451 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,10 +1,9 @@ name: Release on: - pull_request_target: + push: branches: - main - types: [ closed ] permissions: id-token: write # Required for OIDC. See https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow @@ -17,7 +16,7 @@ jobs: uses: "OpenTermsArchive/engine/.github/workflows/test.yml@main" release: needs: [ changelog, test ] - if: github.event.pull_request.merged == true && needs.changelog.outputs.release-type != 'no-release' + if: needs.changelog.outputs.release-type != 'no-release' runs-on: ubuntu-latest steps: - name: Checkout @@ -76,7 +75,7 @@ jobs: client-payload: '{"version": "v${{ steps.release-changelog.outputs.version }}"}' clean_changelog: - if: github.event.pull_request.merged == true && needs.changelog.outputs.release-type == 'no-release' + if: needs.changelog.outputs.release-type == 'no-release' needs: [ changelog ] runs-on: ubuntu-latest steps: