chore(CD): Release with OIDC trusted publishing (#5709)

jmuzina · web-flow · commit 2929c627e3fa · 2025-12-02T10:41:06.000-05:00
* remove node token from publish job

* specify release job permission scope
diff --git a/.github/workflows/publish-on-release.yml b/.github/workflows/publish-on-release.yml
@@ -32,6 +32,10 @@ jobs:
     name: Publish to NPM
     needs: build
     runs-on: ubuntu-latest
+    # https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
+    permissions:
+      contents: read # to enable reading the contents of the release for publishing
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -40,12 +44,8 @@ jobs:
           registry-url: https://registry.npmjs.org/
       - if: ${{ !github.event.release.prerelease }}
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
       - if: ${{ github.event.release.prerelease }}
         run: npm publish --tag next
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
 
   publish-assets:
     name: Publish to assets server
