ci: Support NPM OIDC publishing flow and add provenance (#1932)

aklinker1 · web-flow · commit 7291c604130e · 2025-10-11T12:36:05.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,7 +33,8 @@ jobs:
     name: Publish
     runs-on: ubuntu-22.04
     permissions:
-      contents: write
+      contents: write # Push version changes
+      id-token: write # OIDC for NPM publishing
     needs:
       - validate
     steps:
@@ -61,9 +62,8 @@ jobs:
       - name: Publish to NPM
         working-directory: packages/${{ inputs.package }}
         run: |
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
-          pnpm build
-          pnpm publish
+          sudo npm i -g npm@latest
+          npm publish
 
       - name: Create GitHub release
         run: pnpm tsx scripts/create-github-release.ts ${{ inputs.package }}
diff --git a/.github/workflows/update-browser-package.yml b/.github/workflows/update-browser-package.yml
@@ -12,7 +12,8 @@ jobs:
     name: 'Sync with @types/chrome'
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write # Push version changes
+      id-token: write # OIDC for NPM publishing
     steps:
       - name: Checkout
         uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
@@ -42,5 +43,5 @@ jobs:
         if: steps.commit.outputs.changes_detected == 'true'
         working-directory: packages/browser
         run: |
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
-          pnpm publish
+          sudo npm i -g npm@latest
+          npm publish
