Skip to content

chore: upgrade CI to Node 24 and migrate npm publishing to OIDC #2978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BlobMaster41 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: upgrade CI to Node 24 and migrate npm publishing to OIDC #2978

BlobMaster41 wants to merge 1 commit into from
+141 −66

Conversation

@BlobMaster41
Copy link

@BlobMaster41 BlobMaster41 commented Jan 28, 2026

Warning

This PR is required to comply with npm's new security standard. npm deprecated all classic tokens on December 9, 2025 and now mandates OIDC Trusted Publishing for CI/CD workflows.

This PR is required by #2976.

Changes proposed in this pull request:

Upgrade GitHub Actions to v6 and Node.js 24

  • Node.js 20 reaches end-of-life in April 2026
  • Updated actions/checkout from v4 to v6
  • Updated actions/setup-node from v4 to v6
  • Updated actions/github-script from v7 to v8 (uses Node 24 runtime)
  • All workflows now use node-version: current to target Node 24
  • Added explicit node-version: current to the features job which was missing it

Migrate npm publishing to OIDC Trusted Publishing

  • npm deprecated all classic tokens on December 9, 2025
  • Removed NPM_TOKEN environment variable
  • Authentication now uses OpenID Connect with short-lived, cryptographically-signed credentials
  • Provenance attestations are generated automatically by npm
  • Added id-token: write permission required for OIDC
  • Added registry-url to setup-node for npm authentication
  • Eliminates token management overhead and improves supply chain security

Add prerelease support and GitHub Release automation

  • Publish workflow now detects alpha, beta, rc versions and tags them appropriately on npm
  • Creates GitHub Releases automatically after successful publish (tag is created by the release action)
  • Generates changelogs from merged PRs using mikepenz/release-changelog-builder-action@v6
  • Prereleases are marked correctly on both npm and GitHub

Migration steps required before merging:

  1. Configure Trusted Publisher on npmjs.com for each package:

    • Navigate to package settings → Trusted Publisher section
    • Select GitHub Actions as provider
    • Enter: Organization AssemblyScript, Repository assemblyscript, Workflow publish.yml
    • Repeat for @assemblyscript/loader and @assemblyscript/rtrace
    • Why: npm needs to know which GitHub workflow is authorized to publish without a token. Without this, the OIDC authentication will fail with a 404 error.

  2. Remove NPM_TOKEN from repository secrets

    • Why: OIDC authentication only works when no auth token is present. If NODE_AUTH_TOKEN is set, npm will try to use the token instead of OIDC and fail.

  3. Verify runners have npm 11.5.1+

    • Why: OIDC trusted publishing requires npm CLI 11.5.1 or later. Node 24 includes npm 11.x so this should be automatic with node-version: current.
  • I've read the contributing guidelines
  • I've added my name and email to the NOTICE file

@BlobMaster41
Update GitHub Actions and add changelog file
8201b92 
Upgraded various GitHub Actions to newer major versions in workflow files for improved reliability and features. Enhanced the publish workflow with changelog generation, improved release handling, and npm tag management. Added a CHANGELOG.md file for documenting project changes.
@BlobMaster41 BlobMaster41 mentioned this pull request Jan 28, 2026
Open
2 tasks
@CountBleck
Copy link
Member

CountBleck commented Jan 28, 2026

To implement OIDC, not much change should occur in this repo. I intend to implement this myself.

@BlobMaster41
Copy link
Author

BlobMaster41 commented Jan 28, 2026

To implement OIDC, not much change should occur in this repo. I intend to implement this myself.

Noted. Should I close this PR.?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BlobMaster41 @CountBleck