Skip to content
CI

Replace npm token auth with OIDC trusted publishing #1379

Sign in to view logs

Replace npm token auth with OIDC trusted publishing

Replace npm token auth with OIDC trusted publishing #1379

Workflow file for this run

.github/workflows/ci.yml at 727190e
name: CI
permissions:
contents: write
pull-requests: write
id-token: write
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version:
- 20.x
- 22.x
- 24.x
steps:
- uses: actions/checkout@v6
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm test
- run: npm run build
- run: npm run doc
- name: Save build
if: matrix.node-version == '24.x'
uses: actions/upload-artifact@v6
with:
name: build
path: |
.
!node_modules
retention-days: 1
gh-pages:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/download-artifact@v7
with:
name: build
- uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: .
dependabot:
name: 'Dependabot'
needs: build # After the E2E and build jobs, if one of them fails, it won't merge the PR.
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} # Detect that the PR author is dependabot
steps:
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL" # Use Github CLI to merge automatically the PR
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
npm-publish-build:
needs: build
runs-on: ubuntu-latest
if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
permissions:
id-token: write # Required for OIDC trusted publishing
contents: read
steps:
- uses: actions/download-artifact@v7
with:
name: build
- uses: actions/setup-node@v6
with:
node-version: 24.x
registry-url: 'https://registry.npmjs.org'
- name: Clear npm token configuration
run: bash .github/scripts/clear-npm-token.sh
- uses: rlespinasse/github-slug-action@v4.x
- name: Append commit hash to package version
run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json'
- name: Disable pre- and post-publish actions
run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
- name: Verify OIDC authentication
run: bash .github/scripts/verify-oidc.sh
- name: Test npm publish (dry-run) - PRs only
if: github.event_name == 'pull_request'
run: |
echo "Testing npm publish authentication with dry-run..."
echo "Note: OIDC tokens ARE available for pull_request events when the workflow"
echo "has 'id-token: write' permission, allowing us to verify authentication."
npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || {
echo "ERROR: npm publish dry-run failed"
echo "This indicates OIDC authentication is not working correctly"
exit 1
}
echo "✓ npm publish dry-run succeeded - OIDC authentication is working!"
- name: Publish to npm
if: github.event_name != 'pull_request'
run: npm publish --tag ${{ env.GITHUB_REF_SLUG }}
npm-publish-latest:
needs: [build, npm-publish-build]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
permissions:
id-token: write # Required for OIDC trusted publishing
contents: read
steps:
- uses: actions/download-artifact@v7
with:
name: build
- uses: actions/setup-node@v6
with:
node-version: 24.x
registry-url: 'https://registry.npmjs.org'
# OIDC will be used automatically when id-token: write is set
- name: Clear npm token configuration
run: bash .github/scripts/clear-npm-token.sh
- name: Disable pre- and post-publish actions
run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
- name: Verify OIDC authentication
run: bash .github/scripts/verify-oidc.sh
- name: Publish to npm
run: npm publish