Skip to content

chore: enable trusted publishing for npm packages #1147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2025
Merged

chore: enable trusted publishing for npm packages #1147

merged 1 commit into from
Aug 5, 2025

Conversation

@Timeless0911
Copy link
Contributor

@Timeless0911 Timeless0911 commented Aug 5, 2025

Summary

Enable OIDC publishing to make it easier and more secure to publish npm packages from CI.

Related Links

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).

@Timeless0911 Timeless0911 requested review from chenjiahan and Copilot and removed request for Copilot August 5, 2025 03:32
@Timeless0911 Timeless0911 enabled auto-merge (squash) August 5, 2025 03:32
Copilot AI reviewed Aug 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables OIDC (OpenID Connect) trusted publishing for npm packages to improve security and simplify CI publishing workflows. The changes remove the traditional NPM_TOKEN-based authentication in favor of OIDC-based authentication, which eliminates the need to manage long-lived tokens.

  • Removes provenance: true configuration from package.json files since OIDC publishing handles provenance automatically
  • Updates GitHub Actions workflow to use OIDC authentication instead of NPM_TOKEN
  • Updates npm to the latest version to ensure OIDC support

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
packages/plugin-dts/package.json Removes manual provenance configuration
packages/create-rslib/package.json Removes manual provenance configuration
packages/core/package.json Removes manual provenance configuration
.github/workflows/release.yml Switches from NPM_TOKEN to OIDC authentication and updates npm version

chenjiahan
chenjiahan approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@chenjiahan chenjiahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Timeless0911 Timeless0911 merged commit da28e96 into main Aug 5, 2025
15 checks passed
@Timeless0911 Timeless0911 deleted the oidc branch August 5, 2025 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenjiahan chenjiahan chenjiahan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Timeless0911 @chenjiahan