ci: Update release workflow for npm OIDC authentication (#795)

jaissica12 · web-flow · commit d93ceac84c47 · 2025-12-16T12:19:15.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -70,13 +70,18 @@ jobs:
             - build-and-test
             - create-release-branch
             - confirm-public-repo-master-branch
+        # OIDC permissions for npm trusted publishing
+        permissions:
+          contents: write
+          issues: write
+          pull-requests: write
+          id-token: write # Required for OIDC authentication with npm
         env:
             GITHUB_TOKEN: ${{ secrets.MP_SEMANTIC_RELEASE_BOT }}
             GIT_AUTHOR_NAME: mparticle-automation
             GIT_AUTHOR_EMAIL: developers@mparticle.com
             GIT_COMMITTER_NAME: mparticle-automation
             GIT_COMMITTER_EMAIL: developers@mparticle.com
-            NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
         steps:
             - name: Checkout public master branch
@@ -100,10 +105,14 @@ jobs:
               uses: actions/setup-node@v3
               with:
                   node-version: 14.x
+                  registry-url: 'https://registry.npmjs.org'
 
             - name: Install dependencies
               run: npm ci
 
+            - name: Ensure npm CLI supports OIDC
+              run: npm install -g npm@latest
+
             - name: Release --dry-run
               if: ${{ github.event.inputs.dryRun == 'true'}}
               run: |
diff --git a/package.json b/package.json
@@ -4,6 +4,11 @@
     "description": "Media SDK for mParticle",
     "main": "dist/mparticle-media.common.js",
     "types": "dist/index.d.ts",
+    "publishConfig": {
+        "access": "public",
+        "provenance": true,
+        "registry": "https://registry.npmjs.org"
+    },
     "repository": "https://github.com/mParticle/mparticle-web-media-sdk",
     "directories": {
         "test": "test"
diff --git a/release.config.js b/release.config.js
@@ -33,11 +33,17 @@ module.exports = {
                 changelogFile: 'CHANGELOG.md',
             },
         ],
-        ['@semantic-release/npm'],
+        [
+            '@semantic-release/npm',
+            {
+                npmPublish: false, // Disable npm publish here; we use exec with OIDC instead
+            },
+        ],
         [
             '@semantic-release/exec',
             {
                 prepareCmd: 'sh ./scripts/release.sh',
+                publishCmd: 'npm publish',
             },
         ],
         [

Original file line number	Diff line number	Diff line change
`@@ -33,11 +33,17 @@ module.exports = {`
`33`	`33`	`changelogFile: 'CHANGELOG.md',`
`34`	`34`	`},`
`35`	`35`	`],`
`36`		`- ['@semantic-release/npm'],`
	`36`	`+ [`
	`37`	`+ '@semantic-release/npm',`
	`38`	`+ {`
	`39`	`+ npmPublish: false, // Disable npm publish here; we use exec with OIDC instead`
	`40`	`+ },`
	`41`	`+ ],`
`37`	`42`	`[`
`38`	`43`	`'@semantic-release/exec',`
`39`	`44`	`{`
`40`	`45`	`prepareCmd: 'sh ./scripts/release.sh',`
	`46`	`+ publishCmd: 'npm publish',`
`41`	`47`	`},`
`42`	`48`	`],`
`43`	`49`	`[`