Skip to content

chore(npm): Update release npm action to stop using tokens#526

Merged
gnbm merged 2 commits intomainfrom
gm/review-publish-npm-ga
Nov 11, 2025
Merged

chore(npm): Update release npm action to stop using tokens#526
gnbm merged 2 commits intomainfrom
gm/review-publish-npm-ga

Conversation

@gnbm
Copy link
Contributor

@gnbm gnbm commented Nov 8, 2025
edited
Loading

What is the current behavior?

  • The CD workflow still relies on a long-lived NPM_TOKEN, so it cannot use npm’s trusted-publisher (OIDC) flow.
  • CI runs against Node 18 and uses unpinned action versions.

GitHub Issue Number: N/A

What is the new behavior?

  • CD workflow now requests id-token: write, configures actions/setup-node@v6 with the npm registry, upgrades npm, and runs npm run publish:ci without writing .npmrc, so publishing uses the short-lived OIDC credential.
  • CI workflow tests on Node 20.x and pins actions/checkout and actions/setup-node to the most recent versions.

Does this introduce a breaking change?

  • Yes
  • No

Testing

  • Not run (GitHub Actions workflow update only).

Other information

  • Aligns all release workflows with npm’s trusted-publishing requirements so the branch can pass new registry enforcement.

@gnbm gnbm marked this pull request as ready for review November 8, 2025 23:48
@gnbm gnbm requested a review from Copilot November 9, 2025 02:25
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modernizes the CI/CD workflows by updating Node.js versions, pinning GitHub Actions to specific commit SHAs for security, and transitioning to a more secure npm authentication method using OIDC.

Key changes:

  • Upgraded Node.js from version 18 to version 20 across both workflows
  • Pinned GitHub Actions to commit SHAs with version tags for immutability and security
  • Refactored npm authentication from .npmrc token approach to registry-url configuration with OIDC permissions

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ci.yml Updated Node version to 20.x, pinned actions to commit SHAs, and added emoji labels to workflow steps
.github/workflows/cd.yml Updated Node version to 20, added OIDC permissions block, replaced manual npm token setup with registry-url configuration, and added emoji labels to workflow steps

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm requested a review from Copilot November 9, 2025 14:46
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm requested a review from Copilot November 9, 2025 14:49
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@thetaPC thetaPC removed their assignment Nov 11, 2025
@thetaPC thetaPC self-requested a review November 11, 2025 16:46
thetaPC
thetaPC approved these changes Nov 11, 2025
View reviewed changes
Copy link

@thetaPC thetaPC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gnbm gnbm merged commit a196515 into main Nov 11, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ShaneK ShaneK ShaneK approved these changes

@thetaPC thetaPC thetaPC approved these changes

Assignees

No one assigned

Labels

github_actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gnbm @ShaneK @thetaPC