chore(ci-cd): changes to publish package via trusted oidc method (#270)

yeshamavani · web-flow · commit da978ecec986 · 2025-10-23T16:12:05.000+05:30
discontinue using tokens to publish GH-269
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,6 +4,7 @@ name: Release [Manual]
 on: workflow_dispatch
 permissions:
   contents: write
+  id-token: write   # required for trusted publishing
 jobs:
   Release:
     runs-on: ubuntu-latest
@@ -27,15 +28,15 @@ jobs:
           GITHUB_PAT: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
           CONFIG_USERNAME: ${{ vars.RELEASE_COMMIT_USERNAME }}
           CONFIG_EMAIL: ${{ vars.RELEASE_COMMIT_EMAIL }}
-      - name: Authenticate with Registry
-        run: |
-          echo "@${NPM_USERNAME}:registry=https://registry.npmjs.org/" > .npmrc
-          echo "registry=https://registry.npmjs.org/" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
-          npm whoami
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_USERNAME: ${{ vars.NPM_USERNAME }}
+      # - name: Authenticate with Registry
+      #   run: |
+      #     echo "@${NPM_USERNAME}:registry=https://registry.npmjs.org/" > .npmrc
+      #     echo "registry=https://registry.npmjs.org/" >> .npmrc
+      #     echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
+      #     npm whoami
+      #   env:
+      #     NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      #     NPM_USERNAME: ${{ vars.NPM_USERNAME }}
 
       - name: Install 📌
         run: |
@@ -44,9 +45,12 @@ jobs:
         run: npm run test
       - name: Semantic Publish to NPM 🚀
         # "HUSKY=0" disables pre-commit-msg check (Needed in order to allow semantic-release perform the release commit)
-        run: HUSKY=0 npx semantic-release
+        run: |
+          npm config set provenance true
+          HUSKY=0 npx semantic-release
         env:
           GH_TOKEN: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # npm token not needed got trusted publishing
+          # NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Changelog 📝
         run: cd src/release_notes && HUSKY=0 node release-notes.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "loopback4-authentication",
   "version": "13.0.0",
-  "description": "A loopback-next extension for authentication feature. Various Oauth strategies supported.",
+  "description": "A loopback-next extension for authentication feature. Various Oauth strategies supported by this package.",
   "keywords": [
     "loopback-extension",
     "loopback",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "loopback4-authentication",`
`3`	`3`	`"version": "13.0.0",`
`4`		`- "description": "A loopback-next extension for authentication feature. Various Oauth strategies supported.",`
	`4`	`+ "description": "A loopback-next extension for authentication feature. Various Oauth strategies supported by this package.",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"loopback-extension",`
`7`	`7`	`"loopback",`