Skip to content

Commit a61a531

Browse files
swcurranswcurran
authored
Merge pull request #15 from hyperledger/npm-migration
Update release workflow with permissions and Node.js version
2 parents ee2b032 + e82d777 commit a61a531

File tree

1 file changed

+19
-10
lines changed

1 file changed

+19
-10
lines changed

.github/workflows/release.yml

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -11,18 +11,28 @@ jobs:
1111
release-stable:
1212
runs-on: ubuntu-24.04
1313
name: Release Stable
14+
permissions:
15+
contents: write
16+
id-token: write # Required for npm trusted publishing
1417
outputs:
1518
published: ${{ steps.changesets.outputs.published }}
1619
steps:
1720
- name: Checkout Repo
1821
uses: actions/checkout@v4
1922

2023
- uses: pnpm/action-setup@v4
24+
2125
- name: Setup NodeJS
2226
uses: actions/setup-node@v4
2327
with:
2428
node-version: 22
2529
cache: "pnpm"
30+
registry-url: "https://registry.npmjs.org"
31+
32+
# Ensure npm >= 11.5.1 for trusted publishing support.
33+
# Automatically fetch future security updates
34+
- name: Update npm
35+
run: npm install -g npm@^11.5.1
2636

2737
- name: Install Dependencies
2838
run: pnpm install --frozen-lockfile
@@ -37,7 +47,6 @@ jobs:
3747
version: pnpm changeset-version
3848
env:
3949
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
40-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
4150

4251
- name: Get current package version
4352
id: get_version
@@ -54,32 +63,32 @@ jobs:
5463
name: Release Unstable
5564
needs: release-stable
5665
if: always() && github.event_name == 'push' && needs.release-stable.outputs.published == 'false'
66+
permissions:
67+
contents: write
68+
id-token: write # Required for npm trusted publishing
5769
steps:
5870
- name: Checkout Repo
5971
uses: actions/checkout@v4
6072

6173
- uses: pnpm/action-setup@v4
74+
6275
- name: Setup NodeJS
6376
uses: actions/setup-node@v4
6477
with:
6578
node-version: 20
6679
cache: "pnpm"
80+
registry-url: "https://registry.npmjs.org"
81+
82+
# Ensure npm >= 11.5.1 for trusted publishing support
83+
- name: Update npm
84+
run: npm install -g [email protected]
6785

6886
- name: Install Dependencies
6987
run: pnpm install --frozen-lockfile
7088

71-
- name: Creating .npmrc
72-
run: |
73-
cat << EOF > ".npmrc"
74-
//registry.npmjs.org/:_authToken=$NPM_TOKEN
75-
EOF
76-
env:
77-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
78-
7989
- name: Create unstable release
8090
env:
8191
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
82-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
8392
run: |
8493
# this ensures there's always a patch release created
8594
cat << 'EOF' > .changeset/snapshot-template-changeset.md

0 commit comments

Comments
 (0)