Skip to content

ci: migrate to OIDC trusted publishing #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 13, 2025
Merged

ci: migrate to OIDC trusted publishing #12

merged 4 commits into from
Nov 13, 2025
+1,121 −573

Conversation

@tanjeemh
Copy link

@tanjeemh tanjeemh commented Nov 7, 2025
edited
Loading

What problem are we solving?

  • Update node version to 22.x to resolve version mismatch error
  • added id-token: write permissions to allow for OIDC auth
  • use environment: publish to enforce npmjs release security
  • update semantic-release/npm to v13.1.1 to comply with OIDC Trusted Publishing

Why solve it this way?
As classic npm tokens are being revoked as per npmjs notices, this PR is part of the overarching epic to migrate to using OIDC Trusted Publishing.
The addition of environments enforces custom branch deployment, ensuring that a random person can't just initiate a release.

Ticket: DX-2083

@tanjeemh tanjeemh force-pushed the DX-2083-trusted-publishing branch from 516e460 to 251fbaa Compare November 10, 2025 14:34
@tanjeemh tanjeemh force-pushed the DX-2083-trusted-publishing branch 2 times, most recently from bc184bf to 1af26a8 Compare November 10, 2025 15:38
@tanjeemh tanjeemh enabled auto-merge November 13, 2025 15:27
starfy84
starfy84 requested changes Nov 13, 2025
View reviewed changes
Copy link

@starfy84 starfy84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

Had a quick question about removing --frozen-lockfile. Also, it seems like we've updated the package.json without committing the associated changes to the lock file

@tanjeemh tanjeemh force-pushed the DX-2083-trusted-publishing branch from 1af26a8 to d67e76e Compare November 13, 2025 15:35
starfy84
starfy84 approved these changes Nov 13, 2025
View reviewed changes
Copy link

@starfy84 starfy84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tanjeemh tanjeemh merged commit 5d1f0e2 into master Nov 13, 2025
1 check passed
@tanjeemh tanjeemh deleted the DX-2083-trusted-publishing branch November 13, 2025 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@starfy84 starfy84 starfy84 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tanjeemh @starfy84