Skip to content

(ci)Update npm-publish workflow for npmjs.org OIDC/Trusted publishing #1654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
turbobobbytraykov wants to merge 1 commit into
base: master
Choose a base branch
from
Open

(ci)Update npm-publish workflow for npmjs.org OIDC/Trusted publishing #1654

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
types: [created]

permissions:
id-token: write
contents: read
Comment on lines 6 to 8
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider scoping id-token: write to the specific job (or even the publishing step via job-level permissions) instead of workflow-wide permissions. This keeps least-privilege if additional jobs are added later.

Copilot uses AI. Check for mistakes.

jobs:
Expand All @@ -17,6 +18,9 @@ jobs:
node-version: 20
registry-url: "https://registry.npmjs.org"

- name: 'Update NPM' # needed for npmjs.org Trusted Publishing
run: npm install -g npm@latest
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using npm@latest makes the publish workflow non-reproducible and can break future releases unexpectedly when npm publishes a new major. Prefer pinning to a known-good npm major/minor that supports npmjs Trusted Publishing (and update intentionally when needed), or document the minimum required npm version.

Suggested change
run: npm install -g npm@latest
run: npm install -g npm@11.5.1

Copilot uses AI. Check for mistakes.

- run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- run: echo ${VERSION}

Expand All @@ -37,5 +41,3 @@ jobs:
# use npm run as yarn run changes the registry and publishes to https://registry.yarnpkg.com
run: npm run deploy ${NPM_TAG}
# define env variable for the specific run
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment about defining an env variable is now stale since the env: block with NODE_AUTH_TOKEN was removed. Please update or remove this comment to avoid confusion about how authentication works with Trusted Publishing.

Suggested change
# define env variable for the specific run

Copilot uses AI. Check for mistakes.
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Loading