DX-2278: update release to use npm OIDC (#149)

CahidArda · web-flow · commit 8db1d8d43d1b · 2026-02-05T22:58:39.000+03:00
* fix: update release to use npm OIDC https://docs.npmjs.com/trusted-publishers * fix: add workflow_call to release wf triggers and use release wf in test wf * fix: add ci.yml to route release/tests with oidc permissions * fix: repository is required for provenance flag in release * fix: simplify diff * fix: remove unnecessary --no-git-checks flag from npm publish command
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  pull_request:
+  release:
+    types:
+      - published
+  schedule:
+    - cron: "0 0 * * *" # daily
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  tests:
+    if: github.event_name != 'release'
+    uses: ./.github/workflows/tests.yaml
+    secrets: inherit
+
+  release:
+    if: github.event_name == 'release'
+    uses: ./.github/workflows/release.yml
+    with:
+      prerelease: ${{ github.event.release.prerelease }}
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,25 +1,29 @@
 name: Release
 
 on:
-  release:
-    types:
-      - published
+  workflow_call:
+    inputs:
+      prerelease:
+        description: "Whether this is a prerelease"
+        type: boolean
+        required: true
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set env
         run: echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 24
+          registry-url: https://registry.npmjs.org
 
       - name: Set package version
         run: echo $(jq --arg v "${{ env.VERSION }}" '(.version) = $v' package.json) > package.json
@@ -35,13 +39,10 @@ jobs:
       - name: Build
         run: bun run build
 
-      - name: Add npm token
-        run: echo "//registry.npmjs.org/:_authToken=${{secrets.NPM_TOKEN}}" > .npmrc
-
-      - name: Publish release candidate
-        if: "github.event.release.prerelease"
-        run: npm publish --access public --tag=canary --no-git-checks
+      - name: Publish prerelease
+        if: inputs.prerelease
+        run: npm publish --access public --tag=canary --provenance --no-git-checks
 
-      - name: Publish
-        if: "!github.event.release.prerelease"
-        run: npm publish --access public --no-git-checks
+      - name: Publish stable release
+        if: ${{ !inputs.prerelease }}
+        run: npm publish --access public --provenance --no-git-checks
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -1,8 +1,6 @@
 name: Tests
 on:
-  pull_request:
-  schedule:
-    - cron: "0 0 * * *" # daily
+  workflow_call:
 
 env:
   UPSTASH_REDIS_REST_URL: ${{ secrets.UPSTASH_REDIS_REST_URL }}
@@ -214,9 +212,9 @@ jobs:
       - name: Test
         run: bun test ci.test.ts
         working-directory: examples/nextjs
-  
+
   release:
-    name: Release
+    name: Release Canary
     concurrency: release
     needs:
       - cloudflare-workers-local
@@ -227,16 +225,17 @@ jobs:
       version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get version
         id: version
         run: echo "::set-output name=version::v0.0.0-ci.${GITHUB_SHA}-$(date +%Y%m%d%H%M%S)"
 
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
+          registry-url: https://registry.npmjs.org
 
       - name: Set package version
         run: echo $(jq --arg v "${{ steps.version.outputs.version }}" '(.version) = $v' package.json) > package.json
@@ -252,11 +251,8 @@ jobs:
       - name: Build
         run: bun run build
 
-      - name: Add npm token
-        run: echo "//registry.npmjs.org/:_authToken=${{secrets.NPM_TOKEN}}" > .npmrc
-
-      - name: Publish release candidate
-        run: npm publish --access public --tag=ci
+      - name: Publish CI canary
+        run: npm publish --access public --tag=ci --provenance
 
       - name: Sleep
         run: sleep 5
diff --git a/package.json b/package.json
@@ -6,6 +6,10 @@
   "files": [
     "dist"
   ],
+  "repository": {
+    "type": "git",
+    "url": "git@github.com:upstash/ratelimit-js.git"
+  },
   "scripts": {
     "build": "tsup",
     "test": "bun test src --coverage",
