Migrate to Trusted Publishing with provenance attestation (#341)

mathiasbynens · web-flow · commit b7cda175fa7b · 2025-10-14T14:30:56.000+02:00
https://docs.npmjs.com/trusted-publishers
diff --git a/.github/workflows/publish-on-tag.yml b/.github/workflows/publish-on-tag.yml
@@ -8,13 +8,19 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+      - name: Update npm
+        run: npm install -g npm@latest
       - name: Publish
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
         run: |
-          npm config set registry 'https://wombat-dressing-room.appspot.com/'
-          npm config set '//wombat-dressing-room.appspot.com/:_authToken' '${NPM_TOKEN}'
-          npm publish
+          npm publish --provenance --access public
