Merge pull request #28 from BitGo/VL-3686-enable-oidc-trusted-publishing

lcovar · web-flow · commit 6e520d3ab764 · 2025-11-05T14:11:45.000-06:00
Enable OIDC trusted publishing for npm packages
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,6 +12,10 @@ jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,9 +59,6 @@ jobs:
         run: |
           echo "workspaces-update = false" >> .npmrc
           echo "@bitgo:registry=https://registry.npmjs.org" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Install Packages
         run: npm ci --workspaces --include-workspace-root
@@ -72,4 +73,3 @@ jobs:
         run: npx lerna publish --yes --no-verify-access
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
