Skip to content

chore: use npm Trusted Publishers and unify release workflow #3501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JanCizmar merged 1 commit into from
Feb 10, 2026
Merged

chore: use npm Trusted Publishers and unify release workflow #3501

JanCizmar merged 1 commit into from
Feb 10, 2026

Conversation

@JanCizmar
Copy link
Contributor

@JanCizmar JanCizmar commented Feb 10, 2026
edited by coderabbitai bot
Loading

Summary

npm classic tokens have been deprecated and capped to 90-day expiry. The NPM_TOKEN used for publishing has expired, breaking the release pipeline.

This migrates to OIDC-based Trusted Publishers and consolidates the release workflows:

  • Add permissions block for OIDC (id-token: write)
  • Add registry-url to setup-node so npm auth is handled automatically
  • Remove manual .npmrc creation and NPM_TOKEN usage
  • Merge prerelease.yml into release.yml (npm only allows one workflow per trusted publisher config)
  • Delete obsolete prerelease-tolgee-5.yml

Requires configuring Trusted Publishers on npmjs.com for each @tolgee/* package.

Test plan

  • Configure Trusted Publishers on npmjs.com for all @tolgee packages
  • Verify release pipeline publishes successfully on next merge to main
  • Verify prerelease pipeline works when pushing a prerelease tag

Summary by CodeRabbit

  • Chores
    • Removed dedicated v5 prerelease workflow automation.
    • Removed separate prerelease workflow automation.
    • Consolidated prerelease and release workflows into unified release automation with support for both prerelease and stable release distribution paths.

@JanCizmar
chore: use npm Trusted Publishers and unify release workflow
f9645c9 
Migrate from NPM_TOKEN to OIDC-based Trusted Publishers. Merge
release and prerelease into a single workflow (npm only allows one
workflow per trusted publisher). Remove obsolete prerelease-tolgee-5
workflow.
@coderabbitai
Copy link

coderabbitai bot commented Feb 10, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

The PR consolidates two separate prerelease workflow files (prerelease-tolgee-5.yml and prerelease.yml) into the main release.yml workflow. The unified workflow now handles both release and prerelease flows through conditional steps triggered by different event types and git tags.

Changes

Cohort / File(s) Summary
Deleted Prerelease Workflows
.github/workflows/prerelease-tolgee-5.yml, .github/workflows/prerelease.yml		 Removed two separate prerelease automation workflows that handled versioning, building, and publishing with different configurations and triggers.
Unified Release Workflow
.github/workflows/release.yml		 Consolidated prerelease logic into the main release workflow. Added OIDC permissions, prerelease tag trigger detection, conditional job execution paths, and split version calculation and publishing steps to handle both release and prerelease flows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Two workflows merged into one bright flow,
Prerelease and release now dance just so,
With conditions and flags dancing hand in hand,
The pipelines unite—oh, what a grand brand! ✨

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch jancizmar/trusted-publishers

Comment @coderabbitai help to get the list of available commands and usage tips.

@JanCizmar JanCizmar merged commit 241a022 into main Feb 10, 2026
2 of 6 checks passed
JanCizmar added a commit that referenced this pull request Feb 10, 2026
@JanCizmar
chore: use npm Trusted Publishers and unify release workflow (#3501)
86b07a5 
## Summary

npm classic tokens have been deprecated and capped to 90-day expiry. The
NPM_TOKEN used for publishing has expired, breaking the release
pipeline.

This migrates to OIDC-based Trusted Publishers and consolidates the
release workflows:

- Add `permissions` block for OIDC (`id-token: write`)
- Add `registry-url` to `setup-node` so npm auth is handled
automatically
- Remove manual `.npmrc` creation and `NPM_TOKEN` usage
- Merge `prerelease.yml` into `release.yml` (npm only allows one
workflow per trusted publisher config)
- Delete obsolete `prerelease-tolgee-5.yml`

**Requires configuring Trusted Publishers on npmjs.com for each
`@tolgee/*` package.**

## Test plan

- [ ] Configure Trusted Publishers on npmjs.com for all @tolgee packages
- [ ] Verify release pipeline publishes successfully on next merge to
main
- [ ] Verify prerelease pipeline works when pushing a `prerelease` tag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JanCizmar