File tree Expand file tree Collapse file tree 2 files changed +18
-3
lines changed Expand file tree Collapse file tree 2 files changed +18
-3
lines changed Original file line number Diff line number Diff line change 1616 NODE_VERSION : ' 20'
1717
1818jobs :
19- release-stable :
19+ release-stable : # stable releases can only be manually triggered
2020 if : ${{ github.event_name == 'workflow_dispatch' }}
2121 runs-on : ubuntu-latest
2222 permissions :
7474 cache : ' npm'
7575 registry-url : ' https://registry.npmjs.org'
7676
77+ # Ensure npm 11.5.1 or later is installed for trusted publishing support
7778 - name : Update npm
7879 run : npm install -g npm@latest
7980
@@ -206,7 +207,12 @@ jobs:
206207 uses : ./.github/workflows/ci-auth-js-node18.yml
207208 permissions :
208209 actions : read
209- contents : read
210+ contents :
211+ read
212+
213+ # ==========================================
214+ # CANARY RELEASE (only on master, after all CI passes)
215+ # ==========================================
210216
211217 release-canary :
212218 name : Release Canary
@@ -215,6 +221,7 @@ jobs:
215221 permissions :
216222 contents : read
217223 id-token : write
224+ # Only run on master branch pushes, and only if all CI jobs succeeded
218225 if : |
219226 github.ref == 'refs/heads/master' &&
220227 github.event_name == 'push' &&
@@ -241,6 +248,7 @@ jobs:
241248 cache : ' npm'
242249 registry-url : ' https://registry.npmjs.org'
243250
251+ # Ensure npm 11.5.1 or later is installed for trusted publishing support
244252 - name : Update npm
245253 run : npm install -g npm@latest
246254 - name : Install dependencies
Original file line number Diff line number Diff line change @@ -69,6 +69,12 @@ function safeExec(cmd: string, opts = {}) {
6969
7070 // --- GIT AUTH SETUP FOR TAGGING/CHANGELOG ---
7171
72+ // releaseChangelog should use the GitHub token with permission for tagging
73+ // before switching the token, backup the GITHUB_TOKEN so that it
74+ // can be restored afterwards and used by releasePublish. We can't use the same
75+ // token, because releasePublish wants a token that has the id_token: write permission
76+ // so that we can use OIDC for trusted publishing
77+
7278 const gh_token_bak = process . env . GITHUB_TOKEN
7379 process . env . GITHUB_TOKEN = process . env . RELEASE_GITHUB_TOKEN
7480
@@ -94,7 +100,8 @@ function safeExec(cmd: string, opts = {}) {
94100 } )
95101
96102 // --- RESTORE GIT AUTH FOR PUBLISHING ---
97-
103+ // npm publish with OIDC
104+ // not strictly necessary to restore the header but do it incase we require it later
98105 if ( originalAuth ) {
99106 safeExec ( `git config --local http.https://github.com/.extraheader "${ originalAuth } )
100107 } else {
You can’t perform that action at this time.
0 commit comments