Skip to content

ci: trusted publishing #504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
petar-omni merged 1 commit into from
Jan 19, 2026
Merged

ci: trusted publishing #504

petar-omni merged 1 commit into from
Jan 19, 2026

Conversation

@petar-omni
Copy link
Collaborator

@petar-omni petar-omni commented Jan 19, 2026

This pull request updates the release workflow to improve npm publishing security and compatibility. The main changes are updating npm to the latest version and switching to OIDC-based authentication for npm publishing.

Release workflow improvements:

  • Updated the workflow to install the latest version of npm to ensure compatibility with trusted publishing requirements.
  • Changed npm authentication to use OIDC instead of an NPM_TOKEN, following best practices for secure publishing.

@changeset-bot
Copy link

changeset-bot bot commented Jan 19, 2026

⚠️ No Changeset found

Latest commit: 4940394

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Jan 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
dashboard-finery Ready Ready Preview, Comment Jan 19, 2026 0:05am
dashboard-utila Ready Ready Preview, Comment Jan 19, 2026 0:05am
staging-widget Ready Ready Preview, Comment Jan 19, 2026 0:05am
stakekit-widget Ready Ready Preview, Comment Jan 19, 2026 0:05am

Request Review

Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release workflow to implement OIDC-based authentication for npm publishing (trusted publishing) instead of using a token-based approach. The changes aim to improve security by removing the need for storing an NPM_TOKEN secret.

Changes:

  • Install latest npm version to meet trusted publishing requirements (minimum npm 11.5.1)
  • Remove NPM_TOKEN secret usage and set it to empty string to enable OIDC authentication

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
Comment on lines +50 to +51
# Use OIDC for npm authentication instead of NPM_TOKEN
NPM_TOKEN: "" # https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868
Copy link

Copilot AI Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This implementation is incomplete for OIDC-based npm publishing. The workflow is missing the required id-token: write permission in the permissions section (lines 14-16). Without this permission, the GitHub Actions workflow cannot request an OIDC token, and npm publishing will fail.

Additionally, you may need to configure provenance settings. Consider adding an .npmrc file or updating package.json publishConfig with provenance: true to enable npm provenance, which generates signed attestations of where and how the package was built.

Copilot uses AI. Check for mistakes.
.github/workflows/release.yml

# npm 11.5.1 or later is required for trusted publishing
- name: Update npm
run: npm install -g npm@latest
Copy link

Copilot AI Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment mentions npm version 11.5.1 as the requirement, but the installation command uses npm@latest. This could potentially install a future version with breaking changes or regressions. Consider pinning to a specific minimum version that's known to work (e.g., npm@11.5.1 or npm@^11.5.1) to ensure reproducible builds and avoid unexpected issues from future npm releases.

Suggested change
run: npm install -g npm@latest
run: npm install -g npm@11.5.1

Copilot uses AI. Check for mistakes.
@petar-omni petar-omni merged commit 01d6758 into main Jan 19, 2026
17 checks passed
@petar-omni petar-omni deleted the ci/trusted-publishing branch January 19, 2026 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Philippoes Philippoes Philippoes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@petar-omni @Philippoes