Skip to content

ci: modify release.yaml to work with npm Trusted Publishing #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 14, 2025
Merged

ci: modify release.yaml to work with npm Trusted Publishing #34

merged 2 commits into from
Oct 14, 2025

Conversation

@tanjeemh
Copy link

@tanjeemh tanjeemh commented Oct 10, 2025
edited
Loading

Summary:
This PR updates the GitHub Actions release workflow to use npm Trusted Publishing (OIDC) instead of long-lived NPM_TOKEN secrets.

Changes:

  • Added permissions: id-token: write for OIDC-based publishing
  • I added a dummy value "FAKE_NPM_TOKEN_FOR_SEMANTIC_RELEASE" in all repos to ensure that semantic-release passes

Why:

  • We want to eliminate long-lived npm tokens, and use GitHub’s OIDC-based authentication for npm publishing instead
  • Our semantic-release workflow (semantic-release-action/typescript/blob/master/.github/workflows/release.yml) defines npm-token as a required secret. So if it’s missing, the release can sometimes fail early or behave inconsistently. Some repos throw a hard error (“Secret npm-token is required”), while others partially run and then stop. By setting the dummy token, we eliminate those inconsistencies, guarantee that all release workflows start cleanly across repos, and ensure that future developers don't get confused as to why there is no npm-token
    It doesn’t actually authenticate to npm, so it’s a harmless placeholder that prevents future CI failures

Expected outcome:

  • Future releases will publish securely through GitHub’s OIDC workflow
  • npm-token secrets are no longer required
  • npm packages will show a "GitHub Actions" verification at the top of the npm package indicating that the Trusted Publishing has worked

Ticket: DX-2084

@tanjeemh tanjeemh requested a review from a team as a code owner October 10, 2025 19:09
ericcrosson-bitgo
ericcrosson-bitgo reviewed Oct 10, 2025
View reviewed changes
Copy link

@ericcrosson-bitgo ericcrosson-bitgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description seems out of date -- for example, it mentions we install npm though I don't see that in the diff. Please review for consistency with the implementation.

ericcrosson-bitgo
ericcrosson-bitgo approved these changes Oct 14, 2025
View reviewed changes
Copy link

@ericcrosson-bitgo ericcrosson-bitgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are all the changes needed?? Such a simple PR! Let's give it a whirl

Thank you @tanjeemh 🚀

@ericcrosson-bitgo ericcrosson-bitgo merged commit 37c0fc4 into master Oct 14, 2025
3 checks passed
@ericcrosson-bitgo ericcrosson-bitgo deleted the DX-2084-trusted-publishing branch October 14, 2025 19:47
@github-actions
Copy link

github-actions bot commented Oct 15, 2025

🎉 This PR is included in version 2.1.6-beta.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions
Copy link

github-actions bot commented Nov 5, 2025

🎉 This PR is included in version 2.1.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericcrosson-bitgo ericcrosson-bitgo ericcrosson-bitgo approved these changes

Assignees

No one assigned

Labels

released on @beta released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tanjeemh @ericcrosson-bitgo