Skip to content

Commit 790d0d7

Browse files
docs(README): exchange token (#923)
* docs(README): update nodejs to conform new npm release process * docs(README): revert releaserc yml changes * docs(README): update yml files to fix release * docs(README): add verbose to releaserc yml * docs(README): remove tokens in nodejs yml * docs(README): revert whoami changes * docs(README): update auth token mechanism * docs(README): upgrade lerna * docs(README): upgrade lerna * docs(README): exchange token
1 parent 6e392cd commit 790d0d7

File tree

2 files changed

+41
-2
lines changed

2 files changed

+41
-2
lines changed

.github/workflows/nodejs.yml

Lines changed: 40 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,46 @@ jobs:
6868

6969
- run: yarn install --frozen-lockfile
7070
- run: yarn build
71+
72+
- name: Get npm token via OIDC
73+
id: npm-oidc
74+
run: |
75+
set -e
76+
77+
# Get GitHub OIDC token
78+
echo "Requesting GitHub OIDC token..."
79+
OIDC_RESPONSE=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
80+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")
81+
OIDC_TOKEN=$(echo "$OIDC_RESPONSE" | jq -r '.value')
82+
83+
if [ -z "$OIDC_TOKEN" ] || [ "$OIDC_TOKEN" = "null" ]; then
84+
echo "::error::Failed to get GitHub OIDC token"
85+
echo "Response: $OIDC_RESPONSE"
86+
exit 1
87+
fi
88+
echo "✓ Got GitHub OIDC token"
89+
90+
# Exchange for npm token
91+
echo "Exchanging for npm token..."
92+
NPM_RESPONSE=$(curl -sS -X POST "https://registry.npmjs.org/-/npm/v1/oidc/token" \
93+
-H "Content-Type: application/json" \
94+
-d "{\"oidcToken\": \"${OIDC_TOKEN}\"}")
95+
NPM_TOKEN=$(echo "$NPM_RESPONSE" | jq -r '.token')
96+
97+
if [ -z "$NPM_TOKEN" ] || [ "$NPM_TOKEN" = "null" ]; then
98+
echo "::error::Failed to get npm token"
99+
echo "Response: $NPM_RESPONSE"
100+
exit 1
101+
fi
102+
echo "✓ Got npm token via OIDC"
103+
104+
# Configure authentication
105+
echo "::add-mask::${NPM_TOKEN}"
106+
echo "NODE_AUTH_TOKEN=${NPM_TOKEN}" >> $GITHUB_ENV
107+
108+
# Verify
109+
npm whoami --registry https://registry.npmjs.org && echo "✓ Authenticated to npm"
110+
71111
- run: yarn run semantic-release
72112
env:
73113
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
74-
# NODE_AUTH_TOKEN is set by the OIDC exchange step above

.releaserc.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ plugins:
1818
- - '@semantic-release/changelog'
1919
- changelogTitle: "# Changelog\n\nAll notable changes to this project will be documented in this file."
2020
- - '@semantic-release/exec'
21-
- publishCmd: yarn lerna publish --no-git-tag-version --no-git-reset --no-push --yes --loglevel verbose --exact ${nextRelease.version}
21+
- publishCmd: yarn lerna publish --no-git-tag-version --no-git-reset --no-push --yes --exact ${nextRelease.version}
2222
- '@semantic-release/github'
2323

2424
preset: conventionalcommits

0 commit comments

Comments
 (0)