fix: use OIDC npm releases

modbender · modbender · commit dafd058a0ed0 · 2025-12-17T18:47:50.000+05:30
diff --git a/.github/workflows/ltpr.yml b/.github/workflows/ltpr.yml
@@ -3,11 +3,12 @@ name: Lint, Test, Publish and Release
 permissions:
   checks: write
   contents: write
+  id-token: write # Required for npm OIDC Trusted Publishing
 
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   lint:
@@ -21,9 +22,9 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 'lts/*'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'pnpm'
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org"
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -55,8 +56,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 'lts/*'
-          cache: 'pnpm'
+          node-version: "lts/*"
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -92,8 +93,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 'lts/*'
-          cache: 'pnpm'
+          node-version: "lts/*"
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -120,6 +121,9 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     needs: [lint, test, build]
+    permissions:
+      contents: write
+      id-token: write # Required for npm OIDC Trusted Publishing
     steps:
       - uses: actions/checkout@v4
         with:
@@ -136,25 +140,27 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 'lts/*'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'pnpm'
+          node-version: "lts/*"
+          registry-url: "https://registry.npmjs.org"
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
       - name: Run dev:prepare
         run: pnpm dev:prepare
 
-      - name: Publish to npm
+      # npm Trusted Publishing uses OIDC - no token needed!
+      # Configure trusted publisher at: https://www.npmjs.com/package/nuxt-tiptap-editor/access
+      - name: Publish to npm (OIDC Trusted Publishing)
         shell: bash
         if: success()
-        run: pnpm publish --access public --no-git-checks
+        run: pnpm publish --access public --no-git-checks --provenance
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Create GitHub Release
         if: success()
         run: npx --yes changelogithub@latest
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
