From 98dcc7c68f51fac7496bed87e5d9b5ea314d17bc Mon Sep 17 00:00:00 2001 From: azagatti Date: Wed, 24 Jun 2026 02:51:20 -0300 Subject: [PATCH] ci(release): publish via npm Trusted Publishing (OIDC), drop NPM_TOKEN The npm package now requires Trusted Publishing (tokens disallowed), so authenticate the release with GitHub OIDC instead of a long-lived token: - Remove NODE_AUTH_TOKEN / NPM_TOKEN from the publish step. The workflow already grants `id-token: write`, which is what OIDC needs. - Bump .nvmrc 22 -> 24: OIDC trusted publishing requires npm >= 11.5.1, and Node 24 ships npm >= 11.6 (Node 22 ships npm 10.x). release-it-pnpm disables release-it's built-in npm plugin and publishes via `pnpm publish`, so there is no `npm whoami` auth pre-check to break. After a successful release the NPM_TOKEN secret can be deleted. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 4 +++- .nvmrc | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b128008..2add059 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,9 +39,11 @@ jobs: - name: Build project run: pnpm build + # Publishing uses npm Trusted Publishing (OIDC) via the `id-token: write` + # permission above — no NPM_TOKEN. release-it-pnpm runs `pnpm publish`, + # and Node 24 ships npm >= 11.5.1, which is required for OIDC publishing. - name: Create Release and Publish run: pnpm release env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true diff --git a/.nvmrc b/.nvmrc index 8fdd954..a45fd52 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -22 \ No newline at end of file +24