Configure trusted publishing

[Strift]

Pull Request

What does this PR do?

• Update the publish.yml workflow to allow generating OIDC tokens

PR checklist

Please check if your PR fulfills the following requirements:

• Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)?
• Have you read the contributing guidelines?
• Have you made sure that the title is accurate and descriptive of the changes?

Thank you so much for contributing to Meilisearch!

Summary by CodeRabbit

• Chores
  • Updated CI publishing workflow to use OIDC-based authentication and tightened workflow permissions (granting required read/write scopes) while removing the static publish token usage.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added a permissions block to the GitHub Actions publish workflow granting id-token: write and contents: read, and removed usage of NODE_AUTH_TOKEN from the Publish step; no other workflow behavior was changed.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow /.github/workflows/publish.yml	Added permissions with id-token: write and contents: read; removed NODE_AUTH_TOKEN env usage from the Publish step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Verify the permissions scope matches the intended OIDC-based publish flow.
• Confirm the Publish step and any actions consuming auth use the OIDC token instead of NODE_AUTH_TOKEN.

Poem

I hop to the CI, a tiny quick sprite,
Tokens in paw, permissions just right,
No secrets to stash, OIDC's in sight,
Publish takes off on a moonbeam tonight. 🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Configure trusted publishing' directly and accurately describes the main change: adding OIDC permissions to enable trusted publishing in the GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add-OIDC-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d0e7385 and 5b9cf50.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cypress_tests

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

15-18: Add oidc: true to setup-node to enable OIDC authentication.

The permissions block grants id-token: write, and NODE_AUTH_TOKEN has been removed, but the setup-node action is not configured to use OIDC. Without the oidc: true parameter, npm won't exchange the GitHub OIDC token for credentials, causing the publish step to fail. This aligns with npm's trusted publishers documentation.

       - uses: actions/setup-node@v6
         with:
           node-version: 14
           registry-url: https://registry.npmjs.org/
+          oidc: true

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

17-17: Update Node.js version to a supported version.

Node.js 14 reached end-of-life in April 2023 and is no longer maintained. Use a currently supported LTS version (e.g., 20 or 22).

           node-version: 14
+          node-version: 20

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b9cf50 and 4e8e3d1.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cypress_tests
• GitHub Check: tests-run (Node.js 14)

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

6-8: Permissions block correctly configured for OIDC.

The id-token: write permission is necessary for OIDC token generation, and contents: read is required for the checkout action. The permissions follow the principle of least privilege.