Skip to content

ci(release): npm Trusted Publishing (OIDC), drop NPM_TOKEN#68

Merged
AZagatti merged 1 commit into
mainfrom
chore/npm-trusted-publishing
Jun 24, 2026
Merged

ci(release): npm Trusted Publishing (OIDC), drop NPM_TOKEN#68
AZagatti merged 1 commit into
mainfrom
chore/npm-trusted-publishing

Conversation

@AZagatti

Copy link
Copy Markdown
Collaborator

Switches the release workflow to npm Trusted Publishing (OIDC) now that the package has tokens disallowed.

Changes

  • release.yml: removed NODE_AUTH_TOKEN / NPM_TOKEN from the publish step. The workflow already grants permissions: id-token: write, which is all OIDC needs.
  • .nvmrc: 22 → 24. OIDC trusted publishing requires npm ≥ 11.5.1; Node 24 ships npm ≥ 11.6, while Node 22 ships npm 10.x.

Why it's safe

release-it-pnpm disables release-it's built-in npm plugin (disablePlugin()['npm','version']), so there's no npm whoami auth pre-check to fail with tokens disallowed — publishing is done entirely by pnpm publish, which supports OIDC (pnpm#9812) on the native path with pnpm/action-setup@v6.

Verified

ci + e2e run on Node 24 via .nvmrc. Locally on Node 24: lint, 115 tests, build all pass.

Note

The actual token-less publish can only be confirmed by triggering the manual Release and Publish workflow — pnpm 11's OIDC path is the one thing worth watching on the first run. After a successful release, the NPM_TOKEN secret can be deleted.

🤖 Generated with Claude Code

The npm package now requires Trusted Publishing (tokens disallowed), so
authenticate the release with GitHub OIDC instead of a long-lived token:

- Remove NODE_AUTH_TOKEN / NPM_TOKEN from the publish step. The workflow
  already grants `id-token: write`, which is what OIDC needs.
- Bump .nvmrc 22 -> 24: OIDC trusted publishing requires npm >= 11.5.1,
  and Node 24 ships npm >= 11.6 (Node 22 ships npm 10.x). release-it-pnpm
  disables release-it's built-in npm plugin and publishes via
  `pnpm publish`, so there is no `npm whoami` auth pre-check to break.

After a successful release the NPM_TOKEN secret can be deleted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@AZagatti AZagatti merged commit 63c43ea into main Jun 24, 2026
2 checks passed
@AZagatti AZagatti deleted the chore/npm-trusted-publishing branch June 24, 2026 05:52
@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 91.492%. remained the same — chore/npm-trusted-publishing into main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants