From e99228eb3f54d34522a13be469449a2547c7ca71 Mon Sep 17 00:00:00 2001 From: MantisClone Date: Fri, 17 Oct 2025 17:09:47 -0400 Subject: [PATCH 1/2] Add OIDC Trusted Publisher for NPM publishing - Add OIDC permissions (id-token: write, contents: read) - Update to actions/setup-node@v4 and Node 20 - Add npm update step to ensure npm 11.5.1+ - Remove NODE_AUTH_TOKEN (OIDC handles authentication) - Update documentation to mention OIDC publishing --- .github/workflows/npm-publish.yaml | 14 ++++++++++---- CONTRIBUTING.md | 2 +- README.md | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/npm-publish.yaml b/.github/workflows/npm-publish.yaml index 112f3e27..ee30269c 100644 --- a/.github/workflows/npm-publish.yaml +++ b/.github/workflows/npm-publish.yaml @@ -8,6 +8,10 @@ on: - main workflow_dispatch: +permissions: + id-token: write # Required for OIDC + contents: read + jobs: release-if-necessary: runs-on: ubuntu-latest @@ -26,11 +30,15 @@ jobs: fetch-depth: 0 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: '18' + node-version: '20' registry-url: 'https://registry.npmjs.org' + # Ensure npm 11.5.1 or later is installed + - name: Update npm + run: npm install -g npm@latest + - name: Install dependencies 📥 run: npm ci @@ -49,12 +57,10 @@ jobs: if: steps.check-release.outputs.release-type == 'stable' run: npm publish --workspace=${{ matrix.package }} env: - NODE_AUTH_TOKEN: ${{ secrets.REQUEST_BOT_NPM_TOKEN }} VITE_WEB3MODAL_PROJECT_ID: ${{ secrets.VITE_WEB3MODAL_PROJECT_ID }} - name: Publish next version 📦 if: steps.check-release.outputs.release-type == 'next' run: npm run publish-next-release --workspace=${{ matrix.package }} env: - NODE_AUTH_TOKEN: ${{ secrets.REQUEST_BOT_NPM_TOKEN }} VITE_WEB3MODAL_PROJECT_ID: ${{ secrets.VITE_WEB3MODAL_PROJECT_ID }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 45cf4b58..f920b9cb 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -33,4 +33,4 @@ Each component has its own version number. The versioning scheme we use is 1. Increase the version number of a given component by running `npm version ` inside the package directory or by using the `--workspace=` flag from the root directory. 2. Create a PR. -3. When the PR is merged, the CI will automatically publish the new version to NPM. \ No newline at end of file +3. When the PR is merged, the CI will automatically publish the new version to NPM using OIDC Trusted Publisher authentication (no manual tokens required). \ No newline at end of file diff --git a/README.md b/README.md index 8e9c4b3f..7ae43c29 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ Run changeset version command to bump the version of the packages that have chan npx changeset version ``` -Push the changes to the remote repository. Once the changes are merged, the new versions will be deployed automatically. +Push the changes to the remote repository. Once the changes are merged, the new versions will be deployed automatically using OIDC Trusted Publisher authentication. For more info about workinng with NPM workspaces see: https://docs.npmjs.com/cli/v8/using-npm/workspaces From a6f6e0807a4df192fabfb715f2b29507dfbf49ca Mon Sep 17 00:00:00 2001 From: MantisClone Date: Fri, 17 Oct 2025 17:13:25 -0400 Subject: [PATCH 2/2] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7ae43c29..d6a181ba 100644 --- a/README.md +++ b/README.md @@ -90,5 +90,5 @@ npx changeset version Push the changes to the remote repository. Once the changes are merged, the new versions will be deployed automatically using OIDC Trusted Publisher authentication. -For more info about workinng with NPM workspaces see: +For more info about working with NPM workspaces see: https://docs.npmjs.com/cli/v8/using-npm/workspaces