Skip to content

chore: migrate to npm Trusted Publishers via OIDC#6

Merged
JanCizmar merged 1 commit into
mainfrom
jancizmar/npm-trusted-publishers
Mar 17, 2026
Merged

chore: migrate to npm Trusted Publishers via OIDC#6
JanCizmar merged 1 commit into
mainfrom
jancizmar/npm-trusted-publishers

Conversation

@JanCizmar
Copy link
Copy Markdown
Member

@JanCizmar JanCizmar commented Mar 17, 2026

Summary

  • Migrates npm publishing from classic NPM_TOKEN to OIDC-based Trusted Publishers, matching the approach from tolgee-js#3501
  • Upgrades Node from 20 to 24 (npm >= 11.5.1 required for OIDC, ships with Node 24)
  • Upgrades actions/checkout and actions/setup-node from v3 to v4

Important

Before merging, you need to configure the Trusted Publisher on npmjs.com:

  1. Go to https://www.npmjs.com/package/@tginternal/editor/access
  2. Under "Publishing access" → "Trusted Publishers", add:
    • Repository: tolgee/editor
    • Workflow: release.yml
    • Environment: (leave blank)

Test plan

  • Build passes with Node 24
  • All 140 tests pass
  • ESLint and TypeScript checks pass
  • Verify Trusted Publisher is configured on npm before merging
  • After merge, verify release workflow publishes successfully

🤖 Generated with Claude Code

@JanCizmar @claude
chore: migrate to npm Trusted Publishers via GitHub Actions OIDC
b326e4b 
NPM classic tokens have been deprecated and capped to 90-day expiry.
This migrates to OIDC-based Trusted Publishers, matching the approach
used in tolgee-js.

Changes:
- Add id-token: write permission for OIDC
- Upgrade Node from 20 to 24 (npm >= 11.5.1 required for OIDC)
- Upgrade actions/checkout and actions/setup-node to v4
- Add registry-url to setup-node for OIDC token exchange
- Remove NPM_TOKEN usage

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JanCizmar JanCizmar requested a review from Anty0 March 17, 2026 16:59
@JanCizmar JanCizmar merged commit 7a44b9b into main Mar 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anty0 Anty0 Awaiting requested review from Anty0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JanCizmar