Configure trusted publishing

[Strift]

Pull Request

What does this PR do?

• Update the publish.yml workflow to allow generating OIDC tokens

PR checklist

Please check if your PR fulfills the following requirements:

• Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)?
• Have you read the contributing guidelines?
• Have you made sure that the title is accurate and descriptive of the changes?

Thank you so much for contributing to Meilisearch!

Summary by CodeRabbit

• Chores
  • Updated automated publish workflow permissions to use short-lived identity tokens and removed the long-lived authentication token from publish steps. No changes to exported APIs or user-facing functionality; this is an internal security and CI configuration update.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The publish workflow now declares explicit GitHub Actions permissions (id-token: write, contents: read) and removes the NODE_AUTH_TOKEN environment variable from the "Publish with latest tag" and "Publish with beta tag" steps.

Changes

Cohort / File(s)	Summary
GitHub Actions Configuration ​.github/workflows/publish.yml	Added a permissions block granting id-token: write and contents: read; removed NODE_AUTH_TOKEN environment variable from the "Publish with latest tag" and "Publish with beta tag" steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review the workflow changes in .github/workflows/publish.yml for intended OIDC usage and ensure no remaining references to NODE_AUTH_TOKEN.
• Confirm any registry/publish steps still function with OIDC-based authentication and that secrets or tokens are no longer required elsewhere.

Poem

🐰 A hop, a hop, the workflow's light,
Tokens trimmed and steps set right,
OIDC opens a secure gate,
Publishing dances — small and great! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Configure trusted publishing' directly and specifically describes the main change in the pull request, which is configuring OIDC permissions for trusted publishing in the GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add-OIDC-permissions

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf79acf and e7aa13c.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: playground-build (Node.js 18)
• GitHub Check: playground-build (Node.js 20)
• GitHub Check: cypress-run

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57141b3 and bf79acf.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: playground-build (Node.js 18)
• GitHub Check: playground-build (Node.js 20)
• GitHub Check: cypress-run

[curquiza]

We need to remove the NPM secret @Strift as the example in the docs
If I'm correct