Skip to content

chore(ci): update semantic-release to support OIDC workflow #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhampton merged 1 commit into from
Jan 16, 2026
Merged

chore(ci): update semantic-release to support OIDC workflow #29

jhampton merged 1 commit into from
Jan 16, 2026

Conversation

@jhampton
Copy link
Collaborator

@jhampton jhampton commented Jan 16, 2026
edited
Loading

per latest documentation and
semantic-release/npm#958

Description

Type of Change

  • feat: New feature (non-breaking change which adds functionality)
  • fix: Bug fix (non-breaking change which fixes an issue)
  • docs: Documentation update
  • refactor: Code refactoring (no functional changes)
  • perf: Performance improvement
  • test: Test additions or updates
  • build: Build system or dependency changes
  • ci: CI configuration changes
  • chore: Other changes (maintenance, etc.)

Breaking Changes

  • This PR contains BREAKING CHANGES

Breaking Change Details:

Migration Guide:

Checklist

  • My code follows the project's code style guidelines
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • All commit messages follow conventional commits format
  • I have updated the appropriate section in documentation (if needed)

Conventional Commits

All commits in this PR follow conventional commit format:

<type>(<scope>): <subject>

[optional body]

[optional footer]

Example commit messages:

  • feat(api): add Bible verse lookup method
  • fix(auth): resolve token refresh race condition
  • docs: update installation instructions

For breaking changes:

  • feat(api)!: redesign Bible content API

See CONTRIBUTING.md for detailed guidelines.

Related Issues

Closes #
Relates to #

Additional Context

Reviewer Notes

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Jan 16, 2026

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@jhampton jhampton merged commit de337dc into main Jan 16, 2026
0 of 2 checks passed
@jhampton jhampton deleted the ype-1050-oidc-npm-publish branch January 16, 2026 22:51
jhampton pushed a commit that referenced this pull request Jan 16, 2026
@semantic-release-bot
chore(release): 0.8.0 [skip ci]
88a816e 
## 0.8.0 (2026-01-16)

* chore: Depend on most recent Swift SDK version and update breaking changes (#27) ([a042211](a042211)), closes [#27](#27)
* chore(ci): Disable NPM tokens in release workflow (#28) ([c63c21a](c63c21a)), closes [#28](#28)
* chore(ci): update semantic-release to support OIDC workflow (#29) ([de337dc](de337dc)), closes [#29](#29)
* chore(ci): YPE-1050 Modify release.yml for permissions and Node.js version ([2c86c6f](2c86c6f))
* Add NODE_AUTH_TOKEN to release workflow ([2bdc89c](2bdc89c))
* Add provenance option to npm release configuration ([d746acf](d746acf))
* Enable NPM_CONFIG_PROVENANCE in release workflow ([e027853](e027853))
* Update Node.js version and add NPM upgrade step ([ee94aa2](ee94aa2))
* feat: add support for `configure` in Kotlin (#16) ([d9bca2d](d9bca2d)), closes [#16](#16)
* feat: implement `setApiHost` and `getAccessToken` in Kotlin (#17) ([a4ee43c](a4ee43c)), closes [#17](#17)
* feat: Implement `SignInWithYouVersionButton` for Kotlin (#26) ([5072471](5072471)), closes [#26](#26)
* feat: Implement API utils for Kotlin/Android (#25) ([9a88926](9a88926)), closes [#25](#25)
* feat: implement votd API endpoint for Kotlin (#19) ([59e6874](59e6874)), closes [#19](#19)
* docs: add AI agent code review guidelines (#23) ([8218cec](8218cec)), closes [#23](#23)
@github-actions
Copy link

github-actions bot commented Jan 16, 2026

🎉 This PR is included in version 0.8.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@greptile-apps
Copy link

greptile-apps bot commented Jan 16, 2026

Greptile Summary

This PR upgrades semantic-release from v24.2.0 to v25.0.2 to enable OIDC-based NPM publishing workflow, as discussed in the referenced GitHub issue.

Key Changes:

  • Upgraded semantic-release to v25.0.2 which includes @semantic-release/npm v13.1.3 with built-in OIDC support via @actions/core v2.0.0
  • Removed empty dependencies field from package.json (cleanup)
  • Updated transitive dependencies including @semantic-release/github (v11→v12), @semantic-release/npm (v12→v13), and related packages
  • Node.js engine requirement increased to ^22.14.0 || >= 24.10.0 (already addressed in release workflow which uses Node 24)

Compatibility Notes:

  • The existing semantic-release plugins (@semantic-release/changelog@6.0.3, @semantic-release/exec@6.0.3, @semantic-release/git@10.0.1) specify peerDependencies: "semantic-release": ">=18.0.0" and should remain compatible with v25
  • The release workflow already uses Node.js 24 and has NPM_CONFIG_PROVENANCE: true enabled, meeting the new requirements
  • The .releaserc.json already has provenance: true configured in the npm plugin settings

Confidence Score: 5/5

  • This PR is safe to merge - straightforward dependency upgrade aligned with documented requirements
  • The upgrade follows the official semantic-release v25 migration path for OIDC support. All necessary workflow configurations (Node 24, provenance flags) are already in place. The existing plugins remain compatible per their peer dependency ranges.
  • No files require special attention

Important Files Changed

Filename Overview
package.json Updated semantic-release from v24.2.0 to v25.0.2 and removed empty dependencies field
package-lock.json Lockfile updated with semantic-release v25 and new dependencies including @actions/core for OIDC support

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant SR as semantic-release v25
    participant NPM_Plugin as @semantic-release/npm v13
    participant Actions_Core as @actions/core
    participant NPM_Registry as NPM Registry
    
    GHA->>GHA: Set id-token: write permission
    GHA->>GHA: Set NODE_AUTH_TOKEN & NPM_CONFIG_PROVENANCE
    GHA->>SR: Run semantic-release
    SR->>SR: Analyze commits & generate version
    SR->>NPM_Plugin: Prepare package for publishing
    NPM_Plugin->>Actions_Core: Request OIDC token
    Actions_Core->>GHA: Get OIDC token from GitHub
    GHA-->>Actions_Core: Return OIDC token
    Actions_Core-->>NPM_Plugin: Provide OIDC token
    NPM_Plugin->>NPM_Registry: Publish with provenance (OIDC auth)
    NPM_Registry-->>NPM_Plugin: Package published with attestations
    NPM_Plugin-->>SR: Publishing complete
    SR->>SR: Create GitHub release & update changelog
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhampton