File sync from domdomegg/domdomegg

Github Action · Github Action · commit 2cd95059871e · 2025-12-10T15:24:50.000Z
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -41,6 +41,9 @@ jobs:
     needs: ci
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
     env:
       CI: true
     steps:
@@ -55,7 +58,17 @@ jobs:
         run: npm ci
       - name: Build
         run: npm run build --if-present
+      - uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: 'projects/457105351064/locations/global/workloadIdentityPools/github-secrets-pool/providers/github-secrets-github'
+      - uses: google-github-actions/setup-gcloud@v2
+      - name: Get NPM token
+        id: npm-token
+        run: |
+          token=$(gcloud secrets versions access latest --secret=npm-token --project=gcp-github-secrets)
+          echo "::add-mask::$token"
+          echo "token=$token" >> "$GITHUB_OUTPUT"
       - name: Publish ${{ github.ref }}
         run: npm publish
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NODE_AUTH_TOKEN: ${{ steps.npm-token.outputs.token }}
