Skip to content

ci: use npm trusted publishing instead of NPM_TOKEN#8

Merged
cubehouse merged 1 commit intomainfrom
ci/npm-trusted-publishing
Apr 15, 2026
Merged

ci: use npm trusted publishing instead of NPM_TOKEN#8
cubehouse merged 1 commit intomainfrom
ci/npm-trusted-publishing

Conversation

@cubehouse
Copy link
Copy Markdown
Member

@cubehouse cubehouse commented Apr 15, 2026

Summary

  • Removes the `NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` env from the publish step.
  • `npm publish --provenance` now authenticates via OIDC to the trusted publisher configured on the `themeparks` package.

Test plan

  • CI passes
  • Next tag-triggered release publishes successfully without `NPM_TOKEN` present in repo secrets

🤖 Generated with Claude Code

@cubehouse @claude
ci: use npm trusted publishing instead of NPM_TOKEN
47f18fd 
npm launched GitHub Actions trusted publishing (OIDC) in mid-2025.
With a trusted publisher configured on the package, `npm publish`
authenticates via the workflow's OIDC token (which we already have
via `id-token: write`, needed for --provenance). No long-lived
NPM_TOKEN secret required.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 15, 2026 11:59
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release workflow to publish to npm using npm’s Trusted Publishing (OIDC) flow rather than an NPM_TOKEN secret, aligning publishing auth with npm publish --provenance.

Changes:

  • Removes NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} from the npm publish step.
  • Relies on OIDC (id-token: write) permissions for authenticated provenance publishing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cubehouse cubehouse merged commit f8d0ee9 into main Apr 15, 2026
7 checks passed
@cubehouse cubehouse deleted the ci/npm-trusted-publishing branch April 15, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cubehouse