From bd15370ddd5624f0b0dfaddb17f76bc5d685c1bb Mon Sep 17 00:00:00 2001 From: sadmann7 Date: Sun, 16 Nov 2025 07:31:18 +0600 Subject: [PATCH 1/3] feat(ci): setup npm Trusted Publishing with OIDC --- .github/workflows/release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6f28ca071..b4693ad42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ env: permissions: contents: write pull-requests: write + id-token: write jobs: release: @@ -24,6 +25,15 @@ jobs: - name: Build run: pnpm build + - name: Setup Node.js and npm for Trusted Publishing + uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' + + - name: Update npm to latest (required for Trusted Publishing) + run: npm install -g npm@latest + - name: Create Release id: changesets uses: changesets/action@v1.4.1 @@ -33,5 +43,7 @@ jobs: publish: pnpm changeset publish env: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} + # NPM_TOKEN can be removed after Trusted Publishing is configured in npm + # For now, keeping it as fallback during migration NPM_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file From 60ef7b1b68fcc554502d9f8cf7f5f19cffbbf2bf Mon Sep 17 00:00:00 2001 From: sadmann7 Date: Sun, 16 Nov 2025 07:46:52 +0600 Subject: [PATCH 2/3] feat(ci): remove NPM_TOKEN, use Trusted Publishing OIDC --- .github/workflows/release.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b4693ad42..35fec13ee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,5 @@ jobs: publish: pnpm changeset publish env: GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} - # NPM_TOKEN can be removed after Trusted Publishing is configured in npm - # For now, keeping it as fallback during migration - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - \ No newline at end of file + # Trusted Publishing (OIDC) is configured - no NPM_TOKEN needed + \ No newline at end of file From e4a6bfa1418f040b428a726808e4ca4cd319294a Mon Sep 17 00:00:00 2001 From: sadmann7 Date: Sun, 16 Nov 2025 08:00:08 +0600 Subject: [PATCH 3/3] refactor(ci): optimize setup, remove redundant steps --- .github/setup/action.yml | 1 + .github/workflows/release.yml | 9 --------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/setup/action.yml b/.github/setup/action.yml index 5dacb4af3..8323dd6eb 100644 --- a/.github/setup/action.yml +++ b/.github/setup/action.yml @@ -6,6 +6,7 @@ runs: - uses: actions/setup-node@v4 with: node-version: 20.x + registry-url: 'https://registry.npmjs.org' - name: Setup pnpm uses: pnpm/action-setup@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35fec13ee..71f618101 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,15 +25,6 @@ jobs: - name: Build run: pnpm build - - name: Setup Node.js and npm for Trusted Publishing - uses: actions/setup-node@v4 - with: - node-version: '20' - registry-url: 'https://registry.npmjs.org' - - - name: Update npm to latest (required for Trusted Publishing) - run: npm install -g npm@latest - - name: Create Release id: changesets uses: changesets/action@v1.4.1