From 7bcac4c24fea4440f775321e0bb22357c7b83281 Mon Sep 17 00:00:00 2001 From: Jessica G Date: Tue, 7 Oct 2025 17:18:11 -0700 Subject: [PATCH 1/3] Update release workflow for npm and Node.js Removed NPM_TOKEN from environment variables and updated Node.js version to 22. Added npm upgrade step and ensured npm version is >= 11.5.1 for trusted publishing. Signed-off-by: Jessica G --- .github/workflows/release.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 764fb0656..23cf1b3ed 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,6 @@ env: GITHUB_ACTOR: "hyperledger-bot" GITHUB_ACTOR_EMAIL: "hyperledger-bot@hyperledger.org" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }} @@ -20,6 +19,7 @@ on: permissions: contents: write packages: write + id-token: write # Required for npm trusted publishing (OIDC) jobs: release: @@ -33,7 +33,12 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: "lts/*" + node-version: 22 + registry-url: "https://registry.npmjs.org/" + + # Ensure npm version >= 11.5.1 (lowest supporting trusted publishing) + - name: Upgrade npm + run: npm install -g npm@^11.5.1 - name: "Install Java ${{ env.JAVA_VERSION }}" uses: actions/setup-java@v4 @@ -44,7 +49,6 @@ jobs: server-username: ${{ secrets.OSSRH_USERNAME }} server-password: ${{ secrets.OSSRH_PASSWORD }} - - uses: crazy-max/ghaction-import-gpg@v5 id: import_gpg with: @@ -55,6 +59,9 @@ jobs: git_config_global: true git_tag_gpgsign: false + - name: Install Dependencies + run: npm ci + - name: "Release" env: GITHUB_TOKEN: ${{ secrets.IDENTUS_CI }} From 548d93e26eafec379a9dff32798128d49400ffa9 Mon Sep 17 00:00:00 2001 From: Jessica G Date: Tue, 7 Oct 2025 17:19:47 -0700 Subject: [PATCH 2/3] Log npm version and run npm audit Added npm version logging and audit command. Signed-off-by: Jessica G --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23cf1b3ed..3472f4816 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -75,5 +75,6 @@ jobs: OSSRH_GPG_SECRET_KEY: ${{ secrets.HYP_BOT_GPG_PRIVATE }} OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.HYP_BOT_GPG_PASSWORD }} run: | - npm install + echo "Using npm version: $(npm -v)" + npm audit signatures npx semantic-release From 79eb3b1034d31c92a3ece3e9cca4f2fca71bbe12 Mon Sep 17 00:00:00 2001 From: Jessica G Date: Tue, 7 Oct 2025 17:22:22 -0700 Subject: [PATCH 3/3] chore: Remove NPM_TOKEN from build-and-test workflow Removed NPM_TOKEN from workflow secrets. Signed-off-by: Jessica G --- .github/workflows/build-and-test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 10d56ebba..dd0de061f 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -7,7 +7,6 @@ env: GITHUB_ACTOR: "hyperledger-bot" GITHUB_ACTOR_EMAIL: "hyperledger-bot@hyperledger.org" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} OSSRH_TOKEN: ${{ secrets.OSSRH_PASSWORD }} OSSRH_GPG_SECRET_KEY: ${{ secrets.HYP_BOT_GPG_PRIVATE }}