fix: bump semantic-release and @semantic-release/npm for OIDC trusted publishing#236
Merged
fix: bump semantic-release and @semantic-release/npm for OIDC trusted publishing#236
Conversation
jairo-bc
force-pushed
the
ci/fix-release-workflow
branch
from
2beaa20 to
3461bec
Compare
jairo-bc
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
@semantic-release/npm requires NPM_TOKEN to authenticate with the npm registry. Without it verifyConditions fails with ENONPMTOKEN. Co-Authored-By: Claude <noreply@anthropic.com>
bc-yevhenii-buliuk
force-pushed
the
ci/fix-release-workflow
branch
from
3461bec to
8561848
Compare
bc-yevhenii-buliuk
approved these changes
Apr 1, 2026
jairo-bc
changed the title
Contributor
|
🎉 This PR is included in version 6.21.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What/Why?
Upgrades two packages to enable OIDC trusted publishing, removing the need for a long-lived `NPM_TOKEN` secret:
`@semantic-release/npm` v13.1.0 introduced OIDC trusted publishing — it exchanges the GitHub OIDC token (`id-token: write` permission already set in the workflow) for an npm token automatically.
Rollout/Rollback
The npm package `@bigcommerce/stencil-utils` must have trusted publishing configured on npmjs.org (package settings → Publishing → Trusted Publishers) pointing to this repo/workflow. Without that, the OIDC exchange will fail. Rollback by reverting this PR.
Testing
Verify the next merge to `master` completes the release workflow without `ENONPMTOKEN` and without a `NPM_TOKEN` secret.
Note
Medium Risk
Moderate risk because it changes the release/publish toolchain; failures would impact npm publishing but not runtime library behavior.
Overview
Updates the release tooling by bumping
semantic-releaseand@semantic-release/npmto versions that support npm OIDC trusted publishing.This shifts publishing to rely on GitHub’s
id-token: writeOIDC exchange instead of a long-livedNPM_TOKENsecret, reducing credential management but potentially affecting the next release if npm trusted publisher settings aren’t configured.Written by Cursor Bugbot for commit 8561848. This will update automatically on new commits. Configure here.