(ci)Update npm-publish workflow for npmjs.org OIDC/Trusted publishing#1654
(ci)Update npm-publish workflow for npmjs.org OIDC/Trusted publishing#1654turbobobbytraykov wants to merge 1 commit intomasterfrom
Conversation
|
@damyanpetev , according to the initial official docs for Trusted Publishing: |
There was a problem hiding this comment.
Pull request overview
Updates the npm publish GitHub Actions workflow to use npmjs.org Trusted Publishing (OIDC) instead of an NPM_TOKEN, aligning this repo with the newer publishing model for the listed packages.
Changes:
- Grants
id-token: writeso the workflow can request an OIDC token for npm Trusted Publishing. - Updates npm in the runner prior to publishing.
- Removes
NODE_AUTH_TOKENinjection (token-based auth) from the publish step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| id-token: write | ||
| contents: read |
There was a problem hiding this comment.
Consider scoping id-token: write to the specific job (or even the publishing step via job-level permissions) instead of workflow-wide permissions. This keeps least-privilege if additional jobs are added later.
| registry-url: "https://registry.npmjs.org" | ||
|
|
||
| - name: 'Update NPM' # needed for npmjs.org Trusted Publishing | ||
| run: npm install -g npm@latest |
There was a problem hiding this comment.
Using npm@latest makes the publish workflow non-reproducible and can break future releases unexpectedly when npm publishes a new major. Prefer pinning to a known-good npm major/minor that supports npmjs Trusted Publishing (and update intentionally when needed), or document the minimum required npm version.
| run: npm install -g npm@latest | |
| run: npm install -g npm@11.5.1 |
| @@ -37,5 +41,3 @@ jobs: | |||
| # use npm run as yarn run changes the registry and publishes to https://registry.yarnpkg.com | |||
| run: npm run deploy ${NPM_TAG} | |||
| # define env variable for the specific run | |||
There was a problem hiding this comment.
The comment about defining an env variable is now stale since the env: block with NODE_AUTH_TOKEN was removed. Please update or remove this comment to avoid confusion about how authentication works with Trusted Publishing.
| # define env variable for the specific run |
|
coverage: 86.296%. remained the same — btraykov/update-npm-for-npmjs-oidc into master |
Description
This is one of the few remaining repos where we don't have Trusted Publishing to npmjs.org.
I have enabled Trusted Publishing for each package being published from this repo - I believe that publishing a new rc #4 is the best way to try this out.
Related Issue
Closes #
Type of Change
Affected Packages
igniteui-cli(packages/cli)@igniteui/cli-core(packages/core)@igniteui/angular-templates(packages/igx-templates)@igniteui/angular-schematics(packages/ng-schematics)@igniteui/mcp-server(packages/igniteui-mcp)Checklist
npm run test)npm run build)npm run lint)Additional Context