release: 0.0.3, switched to npm trusted publishing (#101)

ochafik · claude · web-flow · commit 5c9665325d59 · 2025-12-09T00:52:52.000+01:00
* version: 0.0.2 * Switch to npm trusted publishing (OIDC) - Remove NPM_TOKEN secret requirement from npm-publish workflow - Uses OIDC for authentication (more secure, no long-lived tokens) - Update CONTRIBUTING.md with trusted publisher setup instructions 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * 0.0.3 --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -45,7 +45,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
-    environment: release
+    environment: Release
     needs: [build, test]
 
     permissions:
@@ -80,6 +80,6 @@ jobs:
             echo "tag=" >> $GITHUB_OUTPUT
           fi
 
+      # Uses OIDC trusted publishing - no NPM_TOKEN needed
+      # Configure at: https://www.npmjs.com/package/@modelcontextprotocol/ext-apps/access
       - run: npm publish --provenance --access public ${{ steps.npm-tag.outputs.tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -60,16 +60,21 @@ Please review our [Security Policy](SECURITY.md) for reporting security vulnerab
 
 ### Repository Setup
 
-Before publishing releases, ensure the following are configured:
+This repository uses [npm trusted publishing](https://docs.npmjs.com/trusted-publishers/) with OIDC - no secrets required.
 
-1. **NPM_TOKEN secret**: Add an npm automation token to the repository secrets
-   - Go to Settings � Secrets and variables � Actions
-   - Create a new secret named `NPM_TOKEN`
-   - Value: an npm automation token with publish permissions for `@modelcontextprotocol/ext-apps`
+Before publishing releases, ensure the following are configured:
 
-2. **`release` environment** (optional): Create a protected environment for additional safeguards
-   - Go to Settings � Environments � New environment
-   - Name it `release`
+1. **Trusted publisher on npm**: Configure the package to trust this GitHub repository
+   - Go to https://www.npmjs.com/package/@modelcontextprotocol/ext-apps/access
+   - Under "Trusted Publishers", click "Add trusted publisher"
+   - Select "GitHub Actions"
+   - Repository: `modelcontextprotocol/ext-apps`
+   - Workflow filename: `npm-publish.yml`
+   - Environment: `Release` (optional, for additional protection)
+
+2. **`Release` environment** (optional): Create a protected environment for additional safeguards
+   - Go to Settings > Environments > New environment
+   - Name it `Release`
    - Add required reviewers or other protection rules as needed
 
 ### Publishing a Release
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "homepage": "https://github.com/modelcontextprotocol/ext-apps",
   "name": "@modelcontextprotocol/ext-apps",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "license": "MIT",
   "description": "MCP Apps SDK — Enable MCP servers to display interactive user interfaces in conversational clients.",
   "type": "module",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"homepage": "https://github.com/modelcontextprotocol/ext-apps",`
`3`	`3`	`"name": "@modelcontextprotocol/ext-apps",`
`4`		`- "version": "0.0.2",`
	`4`	`+ "version": "0.0.3",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"description": "MCP Apps SDK — Enable MCP servers to display interactive user interfaces in conversational clients.",`
`7`	`7`	`"type": "module",`