Skip to content

ci: use npm trusted publishing for releases#106

Merged
sjoerdbeentjes merged 1 commit into
mainfrom
chore/npm-trusted-publishing
Jul 14, 2026
Merged

ci: use npm trusted publishing for releases#106
sjoerdbeentjes merged 1 commit into
mainfrom
chore/npm-trusted-publishing

Conversation

@sjoerdbeentjes

Copy link
Copy Markdown
Collaborator

What

Switch the release workflow to npm trusted publishing (OIDC) now that it's configured on npmjs.com for the published packages.

  • Drop NPM_TOKEN / NODE_AUTH_TOKEN — the publish step now authenticates via the OIDC id-token instead of a long-lived token.
  • Drop NPM_CONFIG_PROVENANCE — provenance is generated automatically under trusted publishing.
  • Upgrade the global npm to latest before publishing — trusted publishing needs npm ≥ 11.5.1, and Node 22 ships npm 10.x. changeset publish shells out to this global npm.

Reviewer notes

  • id-token: write was already present, so no permissions change was needed.
  • Node 22.14+ (the other trusted-publishing requirement) is already satisfied by .nvmrc.
  • Trusted publishing is configured per-package on npm — confirm it's set for both @surfnet/curve-react and @surfnet/curve-angular, and that the configured workflow filename matches release.yml.
  • The NPM_TOKEN repo secret can be deleted once this merges, if nothing else uses it.

npm now authenticates the publish step via OIDC (trusted publishing)
instead of a long-lived NPM_TOKEN. Drop the token env vars and the
explicit provenance flag (provenance is automatic under trusted
publishing), and upgrade the global npm to >= 11.5.1 since that is the
minimum version trusted publishing requires and Node 22 ships npm 10.x.
@sjoerdbeentjes
sjoerdbeentjes merged commit 58d500d into main Jul 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant