Skip to content

Implement npm trusted publishing#30

Merged
dmattia merged 3 commits intomainfrom
copilot/use-npm-trusted-publishing
Dec 19, 2025
Merged

Implement npm trusted publishing#30
dmattia merged 3 commits intomainfrom
copilot/use-npm-trusted-publishing

Conversation

Copy link
Contributor

Copilot AI commented Dec 18, 2025
edited
Loading

Plan: Implement npm Trusted Publishing ✅

  • Update all actions/setup-node to version v6 (updated from v1, v2, and v3.1.1)
  • Add npm 11.5.1 installation step after setup-node in build-to-npm job
  • Set permissions on the build-to-npm job for trusted publishing (id-token: write, contents: read, packages: write)
  • Remove NPM_TOKEN authentication from build-to-npm job
  • Set NODE_AUTH_TOKEN="" when publishing to npm
  • Bump version in package.json (from 2.3.0 to 2.3.1)
  • Keep NPM_TOKEN authentication for GitHub packages (no changes to build-to-github-packages)
  • Fix prettier formatting issues (single quotes for NODE_AUTH_TOKEN)
  • Verify the changes work correctly (code review passed, security check passed)

Summary of Changes

Workflow Changes (.github/workflows/ci.yml):

  1. Updated all actions/setup-node to v6 across all jobs:

    • build-and-upload-artifacts: v3.1.1 → v6
    • run-mocha: v1 → v6
    • run-depcheck: v1 → v6
    • run-pre-commits: v1 → v6
    • build-to-npm: v2 → v6
    • build-to-github-packages: v2 → v6

  2. Configured build-to-npm job for trusted publishing:

    • Added permissions block (id-token: write, contents: read, packages: write)
    • Added npm 11.5.1 installation step after setup-node with references to npm docs
    • Removed NPM_TOKEN authentication configuration
    • Added NODE_AUTH_TOKEN: '' environment variable to publish step

  3. Preserved GitHub Packages authentication:

    • Left build-to-github-packages job unchanged except for setup-node version
    • NPM_TOKEN authentication still used for GitHub packages as required

Package Changes:

  • Bumped version from 2.3.0 to 2.3.1 in package.json

Security Summary

✅ No security vulnerabilities detected by CodeQL analysis

Original prompt

This section details on the original issue you should resolve

<issue_title>@copilot use npm trusted publishing</issue_title>
<issue_description>- make sure we use actions/setup-node@v6, not older versions

  • after calling setup-node, run this code:
    # See: https://docs.npmjs.com/trusted-publishers
    # See: https://github.com/actions/setup-node/issues/1445
    - name: Set npm to version that supports trusted publishers
      run: npm install -g npm@11.5.1
      shell: bash
  • set permissions on the github workflow to:
permissions:
  id-token: write
  contents: read
  packages: write
  • when calling pnpm publish to npm, set NODE_AUTH_TOKEN=""
  • bump the version in package.json
  • remove npm authentication using NPM_TOKEN, such as:
  - name: Configure npm authentication
        run: |
          pnpm config set always-auth true
          pnpm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"

This should only be removed for npm publishing, not to github packages</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@dmattia
Copy link
Member

dmattia commented Dec 18, 2025

updated: https://www.npmjs.com/package/@transcend-io/internationalization/access

@dmattia
Implement npm trusted publishing with actions/setup-node@v6 and npm@1…
4113af7 
…1.5.1

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement npm trusted publishing configuration Implement npm trusted publishing Dec 18, 2025
Copilot AI requested a review from dmattia December 18, 2025 23:44
@dmattia
Copy link
Member

dmattia commented Dec 19, 2025

@copilot run pre-commit run -a for prettier, or fix the outputs of https://github.com/transcend-io/internationalization/actions/runs/20354808594/job/58488313177?pr=30

@dmattia
Fix prettier formatting - use single quotes for NODE_AUTH_TOKEN
40422e1 
Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 19, 2025

@copilot run pre-commit run -a for prettier, or fix the outputs of https://github.com/transcend-io/internationalization/actions/runs/20354808594/job/58488313177?pr=30

Fixed in 40422e1. Changed NODE_AUTH_TOKEN: "" to NODE_AUTH_TOKEN: '' to satisfy prettier formatting.

@dmattia dmattia marked this pull request as ready for review December 19, 2025 00:42
@dmattia dmattia merged commit 9391c4a into main Dec 19, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelfarrell76 michaelfarrell76 michaelfarrell76 approved these changes

@dmattia dmattia Awaiting requested review from dmattia

@dipack95 dipack95 Awaiting requested review from dipack95

@htunnicliff htunnicliff Awaiting requested review from htunnicliff

@anotherminh anotherminh Awaiting requested review from anotherminh

Assignees

@dmattia dmattia

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

@copilot use npm trusted publishing

3 participants

@dmattia @michaelfarrell76