ci(npm): configure trusted publishing with OIDC

bug-ops · bug-ops · commit 37fa9d9e9ea2 · 2025-12-16T19:11:23.000+01:00
- Add job-level permissions (id-token: write, contents: read) - Add environment protection (npm) - Enable provenance attestations with --provenance flag - Remove NODE_AUTH_TOKEN in favor of OIDC authentication - Create .npmrc with provenance=true as fallback Ref: https://docs.npmjs.com/trusted-publishers
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -216,6 +216,12 @@ jobs:
     runs-on: ubuntu-latest
     needs: npm-build
     timeout-minutes: 15
+    permissions:
+      id-token: write
+      contents: read
+    environment:
+      name: npm
+      url: https://www.npmjs.com/package/feedparser-rs
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -235,11 +241,9 @@ jobs:
           ls -lh prebuilts/
       - run: npm ci
         working-directory: crates/feedparser-rs-node
-      - name: Publish
+      - name: Publish with provenance
         working-directory: crates/feedparser-rs-node
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance
 
   # ============================================================================
   # GITHUB RELEASE
diff --git a/crates/feedparser-rs-node/.npmrc b/crates/feedparser-rs-node/.npmrc
@@ -0,0 +1,3 @@
+# Enable provenance attestations for supply chain security
+# https://docs.npmjs.com/generating-provenance-statements
+provenance=true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Enable provenance attestations for supply chain security`
	`2`	`+# https://docs.npmjs.com/generating-provenance-statements`
	`3`	`+provenance=true`