Skip to content

Commit 915db4f

Browse files
gonzaloriestragonzaloriestra
authored
Merge pull request #6707 from Shopify/migrate-release-workflows
Migrate release workflows to OIDC auth
2 parents 06d8de3 + c8553fc commit 915db4f

File tree

2 files changed

+12
-12
lines changed

2 files changed

+12
-12
lines changed

.github/actions/setup-cli-deps/action.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,10 @@ runs:
1818
version: ${{ env.PNPM_VERSION }}
1919
run_install: false
2020
- name: Install Node.js
21-
uses: actions/setup-node@v3
21+
uses: actions/setup-node@v4
2222
with:
2323
node-version: ${{ inputs.node-version }}
24+
registry-url: 'https://registry.npmjs.org'
2425
cache: 'pnpm'
2526
cache-dependency-path: 'pnpm-lock.yaml'
2627
- name: Install dependencies

.github/workflows/release.yml

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@ jobs:
4141
name: Snapit
4242
if: ${{ github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/snapit' }}
4343
runs-on: ubuntu-latest
44+
permissions:
45+
contents: read
46+
pull-requests: write
47+
id-token: write
4448
steps:
4549
# WARNING: DO NOT RUN ANY CUSTOM LOCAL SCRIPT BEFORE RUNNING THE SNAPIT ACTION
4650
# This action can be executed by 3rd party users and it should not be able to run arbitrary code from a PR.
@@ -71,7 +75,8 @@ jobs:
7175
build_script: "pnpm nx run-many --target=bundle --all --skip-nx-cache --output-style=stream && pnpm refresh-manifests"
7276
env:
7377
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
74-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
78+
NPM_TOKEN: ''
79+
NPM_CONFIG_PROVENANCE: true
7580
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}
7681

7782
# Changeset release job - runs on push to main or stable branches
@@ -80,7 +85,7 @@ jobs:
8085
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.tag == '') }}
8186
runs-on: ubuntu-latest
8287
permissions:
83-
contents: write
88+
contents: read
8489
pull-requests: write
8590
id-token: write
8691
steps:
@@ -99,7 +104,7 @@ jobs:
99104
title: Version Packages - ${{ github.ref_name }}
100105
publish: pnpm release latest
101106
env:
102-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
107+
NPM_TOKEN: ''
103108
NPM_CONFIG_PROVENANCE: true
104109
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105110
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}
@@ -110,7 +115,7 @@ jobs:
110115
if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.tag != '') }}
111116
runs-on: ubuntu-latest
112117
permissions:
113-
contents: write
118+
contents: read
114119
pull-requests: write
115120
id-token: write
116121
steps:
@@ -122,16 +127,10 @@ jobs:
122127
uses: ./.github/actions/setup-cli-deps
123128
with:
124129
node-version: 24.1.0
125-
- name: Creating .npmrc
126-
run: |
127-
cat << EOF > "$HOME/.npmrc"
128-
//registry.npmjs.org/:_authToken=$NPM_TOKEN
129-
EOF
130-
env:
131-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
132130
- name: Release
133131
run: pnpm release ${{ github.event.inputs.tag || 'nightly' }}
134132
env:
135133
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
134+
NPM_TOKEN: ''
136135
NPM_CONFIG_PROVENANCE: true
137136
SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}

0 commit comments

Comments
 (0)