update: publish workflow changed to OIDC (#8469)

Bayheck · web-flow · commit 7bbffec44b09 · 2025-12-22T11:24:00.000+05:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,43 +4,43 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write  # Required for OIDC (Trusted Publishing)
+  contents: read
+
 jobs:
   npm-publish:
     if: ${{ !github.event.release.draft }}
     runs-on: ubuntu-latest
-    environment: release
+    environment: npmjs
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.target_commitish }}
       - run: git fetch --force --tags
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 24
           registry-url: 'https://registry.npmjs.org'
-      - run: npm install
+      - run: npm ci
       - run: npm run publish-please-only
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
   docker-publish:
     needs: npm-publish
     runs-on: ubuntu-latest
     environment: release
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.target_commitish }}
       - run: git fetch --force --tags
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 24
           registry-url: 'https://registry.npmjs.org'
-      - uses: docker/login-action@v1
+      - uses: docker/login-action@v3
         with:
             username: ${{ secrets.DOCKERHUB_USERNAME }}
             password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - run: npm install
+      - run: npm ci
       - run: npx gulp build
-      - run: gulp docker-publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: gulp docker-publish
