Make NPM_TOKEN optional for package release (#1744)

tidoust · web-flow · commit fe0d2c4145a7 · 2025-12-12T13:55:24.000+01:00
Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process. I set up OpenID Connect between the `@webref/*` packages in npm and GitHub Actions and dropped the former `NPM_TOKEN` secret. This update adjusts the release script not to fail if such a token cannot be found. The call to `npmPublish` gets adjusted accordingly only to pass the token if it exists. That should close #1739.
diff --git a/.github/workflows/release-package.yml b/.github/workflows/release-package.yml
@@ -34,4 +34,3 @@ jobs:
       run: node tools/release-package.js ${{ github.event.pull_request.number }}
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/tools/release-package.js b/tools/release-package.js
@@ -88,11 +88,14 @@ async function releasePackage(prNumber) {
 
     console.log(`- Publish packages/${type} folder to npm`);
     const packageFolder = path.join(installFolder, "packages", type, "package.json");
-    const pubResult = await npmPublish({
-      package: packageFolder,
-      token: NPM_TOKEN
+    const pubOptions = {
+      package: packageFolder
       //, debug: console.debug
-    });
+    };
+    if (NPM_TOKEN) {
+      pubOptions.token = NPM_TOKEN;
+    }
+    const pubResult = await npmPublish(pubOptions);
     console.log(`- Published version was ${pubResult.oldVersion}`);
     console.log(`- Version bump: ${pubResult.type}`);
     console.log(`- Published version is ${pubResult.version}`);
@@ -154,11 +157,12 @@ if (!GH_TOKEN) {
   process.exit(1);
 }
 
+// An NPM token is needed to run the script from a local machine.
+// Authentication from a GitHub workflow rather relies on OpenID Connect
+// and the release workflow must be added as a trusted publisher for each
+// npm package that can be released, see:
+// https://docs.npmjs.com/trusted-publishers
 const NPM_TOKEN = config?.NPM_TOKEN ?? process.env.NPM_TOKEN;
-if (!NPM_TOKEN) {
-  console.error("NPM_TOKEN must be set to an npm token as an env variable or in a config.json file");
-  process.exit(1);
-}
 
 // Note: npm-publish has a bug and needs an "INPUT_TOKEN" env variable:
 // https://github.com/JS-DevTools/npm-publish/issues/15
