ci: use OIDC for publishing #1832
Conversation
|
@SimenB you'll need to set up the trusted publisher on the npm package - I believe this is the setup to use: 
|
I did that a couple of weeks ago, so this repo should be good to go |
.github/workflows/nodejs.yml
Outdated
| - name: install latest npm | ||
| run: npm i -g npm |
There was a problem hiding this comment.
do we need to install it ourselves? semantic-release depends on npm, so I would've thought it pulled it in for us
There was a problem hiding this comment.
ah nice, I hadn't realized that - I would still prefer keeping this for now though to be extra sure since it doesn't cost us anything and we don't have a lot of releases these days so it could be a while before we realize there's an issue with publishing
There was a problem hiding this comment.
I'd prefer a quick test release (can be a next branch) for the OIDC stuff anyways, so testing without installing npm manually seems good? the less config the better 😀
There was a problem hiding this comment.
all good but in that case would you mind actioning that? as the last time I tried doing a next branch things went pear shaped 😅
There was a problem hiding this comment.
|
🎉 This PR is included in version 29.0.2-next.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
Since it worked ( 🎉 ) I've deleted the old secret from the repo |
|
🎉 This PR is included in version 29.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This switches us to using trusted publishing aka OIDC for authenticating with the NPM registry to publish releases, rather than long-lived access tokens.
This is more secure and will become all but required for CI-based releases, as publishing tokens will have a max expiration of 90 days.
Because of the magic that is OIDC this should "just work" 🤞