Skip to content

Use npm trusted publishing (remove NODE_AUTH_TOKEN)#11

Merged
jehiah merged 1 commit into
mainfrom
feature/npm-trusted-publishing
Jun 24, 2026
Merged

Use npm trusted publishing (remove NODE_AUTH_TOKEN)#11
jehiah merged 1 commit into
mainfrom
feature/npm-trusted-publishing

Conversation

@jehiah

@jehiah jehiah commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

The npm_release.yaml workflow already grants id-token: write and publishes with --provenance, which means it uses npm's trusted publishing via OIDC. With trusted publishing, no long-lived auth token is needed, so the NODE_AUTH_TOKEN / secrets.NPM_TOKEN is redundant.

Changes

  • Remove the NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} env from the npm publish step.
  • Add npm install -g npm@latest before publishing, since trusted publishing requires npm >= 11.5.1 (newer than the version bundled with Node 22.x).

Notes

This requires that a trusted publisher for this package be configured on npmjs.com (linking the repo + npm_release.yaml workflow). Once that's in place, the NPM_TOKEN secret can be removed from the repo.

@jehiah
Use trusted publishing for npm release
9c50af6 
Remove NODE_AUTH_TOKEN since the workflow uses OIDC trusted publishing
(id-token: write + --provenance). Upgrade npm to ensure a version that
supports trusted publishing.
@jehiah jehiah marked this pull request as ready for review June 24, 2026 16:52
@jehiah jehiah requested a review from colinhemphill June 24, 2026 16:52
@jehiah jehiah merged commit 128c7f3 into main Jun 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colinhemphill colinhemphill colinhemphill approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jehiah @colinhemphill