chore(ci): Use trusted publishing for NPM packages (#10236)

ovr · web-flow · commit 816676b34fd2 · 2025-12-10T18:15:42.000+01:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -16,6 +16,7 @@ jobs:
     timeout-minutes: 30
     permissions:
       contents: write
+      id-token: write  # Required for OIDC trusted publishing
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -30,6 +31,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 22.x
+          registry-url: 'https://registry.npmjs.org/'
+      - name: Upgrade npm for OIDC support
+        run: npm install -g npm@11.7.0
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"
@@ -59,10 +63,6 @@ jobs:
         run: yarn lerna run --concurrency 1 build
         env:
           NODE_OPTIONS: --max_old_space_size=4096
-      - name: Set NPM token
-        run: echo //registry.npmjs.org/:_authToken="$NPM_TOKEN" > ~/.npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: NPM publish
         run: ./node_modules/.bin/lerna publish from-package --yes
 
