Skip to content

move to npm trusted publishing #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wpalmeri merged 1 commit into from
Jan 16, 2026
Merged

move to npm trusted publishing #337

wpalmeri merged 1 commit into from
Jan 16, 2026

Conversation

@wpalmeri
Copy link
Contributor

@wpalmeri wpalmeri commented Jan 16, 2026

Update npm publish workflow to include provenance. Trust relationship already exists on npmjs

@wpalmeri
move to npm trusted publishing
3ee7b05 
Update npm publish workflow to include provenance. Trust relationship already exists on npmjs
Copilot AI review requested due to automatic review settings January 16, 2026 00:30
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the npm publish workflow to use npm's trusted publishing with provenance attestations. The changes enable OIDC-based authentication for publishing packages, eliminating the need for long-lived NPM_TOKEN secrets.

Changes:

  • Added OIDC permissions (id-token: write and contents: read) to enable trusted publishing
  • Added --provenance flag to generate build attestations during package publication
  • Removed manual authentication via NODE_AUTH_TOKEN environment variable, relying on OIDC authentication instead

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stellar-jenkins
Copy link

stellar-jenkins commented Jan 16, 2026

Preview is available here:
http://design-system-pr337.previews.kube001.services.stellar-ops.com/

@wpalmeri wpalmeri merged commit 19d1cb5 into main Jan 16, 2026
12 checks passed
@wpalmeri wpalmeri deleted the npm-trusted-publishing branch January 16, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@quietbits quietbits quietbits approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wpalmeri @stellar-jenkins @quietbits