55 branches :
66 - main
77
8- # Default to no permissions unless granted at job level
98permissions : {}
109
1110jobs :
4544 - name : Upgrade npm for trusted publishing
4645 run : npm i -g npm@^11.5.1
4746
48- # IMPORTANT: Prevent changesets/action from generating an auth-token ~/.npmrc
49- # (OIDC trusted publishing should NOT use NODE_AUTH_TOKEN / NPM_TOKEN)
50- - name : Configure npm for trusted publishing (no token)
47+ # Keep a minimal npmrc with NO token. OIDC will be used during publish.
48+ - name : Configure npm (no token)
5149 run : |
5250 cat > ~/.npmrc <<'EOF'
5351 registry=https://registry.npmjs.org/
@@ -66,17 +64,26 @@ jobs:
6664 npm -v
6765 yarn -v
6866 npm config get registry
69- npm config list -l | grep -E '(_auth|token|always-auth)' || true
7067
71- - name : Create release pull request or Publish to npm
68+ # LATEST CHANNEL: use changesets/action ONLY for the PR/versioning logic
69+ - name : Create or update release PR
7270 if : matrix.channel == 'latest'
71+ id : changesets
7372 uses : changesets/action@v1
7473 with :
7574 version : yarn changesetversion
76- publish : yarn changeset publish
7775 env :
7876 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
7977
78+ # LATEST CHANNEL: publish only when there is no changeset PR to make/update
79+ # (i.e. we're on main after merge, or there are no changesets but some packages are unpublished)
80+ - name : Publish to npm (OIDC)
81+ if : matrix.channel == 'latest' && steps.changesets.outputs.hasChangesets == 'false'
82+ run : yarn changeset publish
83+ env :
84+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
85+
86+ # DEV CHANNEL: snapshot publishes directly (OIDC)
8087 - name : Release to @dev channel
8188 if : matrix.channel == 'dev'
8289 run : |
0 commit comments