chore(NODE-7563): migrate main release workflows to npm trusted publishers#4941
Merged
Merged
Conversation
…shers Replace NPM_TOKEN with OIDC dispatch to npm-publish.yml in release.yml and release-alpha.yml; remove dormant release-6.8.yml.
This was referenced May 18, 2026
Move alphaVersion input to an env var so bash does not perform command substitution on user-controlled input (semgrep finding).
tadjik1
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the main (latest) and alpha release GitHub Actions workflows to npm Trusted Publishing by dispatching to the centralized npm-publish.yml workflow (OIDC-based), and removes the deprecated release-6.8.yml workflow.
Changes:
- Update
release.ymlto dispatchnpm-publish.ymlinstead of publishing directly withNPM_TOKEN. - Update
release-alpha.ymlto dispatchnpm-publish.ymlfor alpha publishing. - Remove the dormant
release-6.8.ymlworkflow.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | Switch latest release publishing to dispatch-and-wait.mjs → npm-publish.yml and update token permissions accordingly. |
| .github/workflows/release-alpha.yml | Switch alpha publishing to dispatch-and-wait.mjs → npm-publish.yml and adjust permissions/inputs handling. |
| .github/workflows/release-6.8.yml | Remove EOL release workflow. |
PavelSafronov
previously approved these changes
May 18, 2026
PavelSafronov
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary of Changes
Migrates
release.yml(latest tag) andrelease-alpha.ymlto npm Trusted Publishing by dispatching to the centralizednpm-publish.ymlworkflow introduced in #4930. Also removes the dormantrelease-6.8.yml(6.8 branch is EOL; last release was 6.8.2 in Sep 2024).Notes for Reviewers
Follows the pattern established for the nightly release in #4930. The key constraint: with
workflow_call, the OIDC token'sworkflow_refclaim points to the caller's filename rather thannpm-publish.yml, breaking npm Trusted Publishing's workflow-filename matching (see npm/documentation#1755). Usingworkflow_dispatchviadispatch-and-wait.mjsworks around this.Backport PRs: #4942 (5.x), #4943 (6.x)
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript