ci: use OIDC for publishing

G-Rath · G-Rath · commit 2d3b34a1aff2 · 2025-10-23T08:02:17.000+13:00
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -143,7 +143,7 @@ jobs:
       contents: write # to be able to publish a GitHub release
       issues: write # to be able to comment on released issues
       pull-requests: write # to be able to comment on released pull requests
-      id-token: write # to enable use of OIDC for npm provenance
+      id-token: write # to enable use of OIDC for npm provenance and publishing
 
     if:
       # prettier-ignore
@@ -160,9 +160,14 @@ jobs:
         with:
           node-version: lts/*
           cache: yarn
+
+        # todo: this can be removed once we are using a version of Node that
+        #  ships with npm v11.5.1 or higher, which is needed for using oidc
+      - name: install latest npm
+        run: npm i -g npm
+
       - name: install
         run: yarn
       - run: yarn semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
@@ -137,8 +137,5 @@
   "packageManager": "yarn@4.10.3",
   "engines": {
     "node": "^20.12.0 || ^22.0.0 || >=24.0.0"
-  },
-  "publishConfig": {
-    "provenance": true
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -137,8 +137,5 @@`
`137`	`137`	`"packageManager": "[email protected]",`
`138`	`138`	`"engines": {`
`139`	`139`	`"node": "^20.12.0 \|\| ^22.0.0 \|\| >=24.0.0"`
`140`		`- },`
`141`		`- "publishConfig": {`
`142`		`- "provenance": true`
`143`	`140`	`}`
`144`	`141`	`}`