Skip to content

chore(npm): Update release npm action to stop using tokens #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(npm): Update release npm action to stop using tokens #526

wants to merge 2 commits into from

Conversation

@gnbm
Copy link

@gnbm gnbm commented Nov 8, 2025
edited
Loading

What is the current behavior?

  • The CD workflow still relies on a long-lived NPM_TOKEN, so it cannot use npm’s trusted-publisher (OIDC) flow.
  • CI runs against Node 18 and uses unpinned action versions.

GitHub Issue Number: N/A

What is the new behavior?

  • CD workflow now requests id-token: write, configures actions/setup-node@v6 with the npm registry, upgrades npm, and runs npm run publish:ci without writing .npmrc, so publishing uses the short-lived OIDC credential.
  • CI workflow tests on Node 20.x and pins actions/checkout and actions/setup-node to the most recent versions.

Does this introduce a breaking change?

  • Yes
  • No

Testing

  • Not run (GitHub Actions workflow update only).

Other information

  • Aligns all release workflows with npm’s trusted-publishing requirements so the branch can pass new registry enforcement.

@gnbm gnbm marked this pull request as ready for review November 8, 2025 23:48
@gnbm gnbm requested a review from Copilot November 9, 2025 02:25
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modernizes the CI/CD workflows by updating Node.js versions, pinning GitHub Actions to specific commit SHAs for security, and transitioning to a more secure npm authentication method using OIDC.

Key changes:

  • Upgraded Node.js from version 18 to version 20 across both workflows
  • Pinned GitHub Actions to commit SHAs with version tags for immutability and security
  • Refactored npm authentication from .npmrc token approach to registry-url configuration with OIDC permissions

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ci.yml Updated Node version to 20.x, pinned actions to commit SHAs, and added emoji labels to workflow steps
.github/workflows/cd.yml Updated Node version to 20, added OIDC permissions block, replaced manual npm token setup with registry-url configuration, and added emoji labels to workflow steps

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm requested a review from Copilot November 9, 2025 14:46
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm requested a review from Copilot November 9, 2025 14:49
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ShaneK ShaneK ShaneK approved these changes

Assignees

No one assigned

Labels

github_actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gnbm @ShaneK