chore(npm): Update release npm action to stop using tokens

[gnbm]

Issue number: resolves #

---

What is the current behavior?

• Release workflows still inject a long-lived NPM_TOKEN via .npmrc, so publishes do not use npm’s trusted OIDC flow.

What is the new behavior?

• The shared actions/publish-npm composite action now configures setup-node with the npm registry, upgrades npm in place, and publishes with --provenance without writing .npmrc.
• release-dev.yml, release-nightly.yml, and release-production.yml call into that trusted flow by removing the token input and (for production) inlining the same OIDC setup before npm run release.ci.
  • Allows npm to authenticate through trusted publishing requirements docs.npmjs.com/trusted-publishers.
• Step names were refreshed with emojis, but there are no other behavioral changes.

Does this introduce a breaking change?

• Yes
• No

Other information

• These changes align the Ionic release automation with npm’s trusted-publisher enforcement while keeping the existing Lerna build/publish process intact.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
ionic-framework	Ready	Preview	Comment	Nov 9, 2025 3:21pm

[Copilot]

Pull Request Overview

This PR updates GitHub Actions workflows to pin action versions using commit hashes for security, migrate to OIDC-based npm authentication, and improve workflow usability with emojis and configuration refinements.

• Pin actions/checkout and actions/setup-node to specific commit hashes with version comments
• Migrate from NPM_TOKEN secret to OIDC authentication with provenance publishing
• Add emoji prefixes to workflow step names for better visibility
• Change preid input from choice to string type for flexibility
• Add caching step for @ionic/angular-server build artifact

Reviewed Changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/update-screenshots.yml	Pin checkout action to commit hash
.github/workflows/stencil-nightly.yml	Pin checkout action to commit hash
.github/workflows/release.yml	Change preid to string type, add permissions, remove NPM_TOKEN, pin checkout
.github/workflows/release-ionic.yml	Add permissions, remove NPM_TOKEN, pin checkout, add angular-server cache
.github/workflows/nightly.yml	Pin checkout action to commit hash
.github/workflows/dev-build.yml	Pin checkout action to commit hash
.github/workflows/codeql-analysis.yml	Pin checkout action to commit hash
.github/workflows/build.yml	Pin checkout action to commit hash
.github/workflows/actions/upload-archive/action.yml	Add emoji to step name
.github/workflows/actions/update-reference-screenshots/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-vue-e2e/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-react-router-e2e/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-react-e2e/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-core-spec/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-core-screenshot/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-core-lint/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/test-core-clean-build/action.yml	Pin setup-node, add emoji to step name
.github/workflows/actions/test-angular-e2e/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/publish-npm/action.yml	Remove token input, add OIDC config, refactor preid handling, add emojis
.github/workflows/actions/download-archive/action.yml	Add emoji to step name
.github/workflows/actions/build-vue/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/build-vue-router/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/build-react/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/build-react-router/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/build-core/action.yml	Pin checkout and setup-node, add emojis to step names
.github/workflows/actions/build-core-stencil-prerelease/action.yml	Pin checkout and setup-node, add emojis to step names
.github/workflows/actions/build-angular/action.yml	Pin setup-node, add emojis to step names
.github/workflows/actions/build-angular-server/action.yml	Pin setup-node, add emojis to step names

Comments suppressed due to low confidence (1)

.github/workflows/release.yml:59

• The --preid flag is always included even when inputs.preid is empty. This could cause lerna to fail or behave unexpectedly when no preid is provided (e.g., for non-prerelease versions like patch, minor, or major). The command should conditionally include --preid only when inputs.preid is not empty.

      run: lerna version ${{ inputs.version }} --yes --force-publish='*' --conventional-commits --create-release github --preid=${{ inputs.preid }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

.github/workflows/actions/build-angular/action.yml:6

• This file was not updated to use the pinned SHA version for actions/setup-node while all other similar files were updated. For consistency and security, this should be changed to actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 to match the pattern used in other workflow files.

    - uses: actions/setup-node@v6

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (3)

.github/workflows/actions/build-angular/action.yml:6

• Inconsistent action pinning: actions/setup-node@v6 should be pinned to the specific SHA 2028fbc5c25fe9cf00d9f06a71cc4710d4507903 like all other files in this PR for security and reproducibility.

    - uses: actions/setup-node@v6

.github/workflows/dev-build.yml:34

• Inconsistent authentication mechanism: This workflow still passes NPM_TOKEN as a secret to release-ionic.yml, but that workflow has been updated to use OIDC provenance instead. These lines should be removed, and contents: read permission should be added to the release-ionic job.

    secrets:
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/nightly.yml:39

• Inconsistent authentication mechanism: This workflow still passes NPM_TOKEN as a secret to release-ionic.yml, but that workflow has been updated to use OIDC provenance instead. These lines should be removed, and contents: read permission should be added to the release-ionic job.

    secrets:
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.