Skip to content

fix(ci): switch to npm trusted publishing for automated releases #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
drichar merged 1 commit into from
Jan 14, 2026
Merged

fix(ci): switch to npm trusted publishing for automated releases #1

drichar merged 1 commit into from
Jan 14, 2026

Conversation

@drichar
Copy link
Contributor

@drichar drichar commented Jan 14, 2026
edited
Loading

Summary

Replaces NPM_TOKEN-based authentication with OIDC trusted publishing to resolve the 2FA/OTP requirement that was blocking automated npm releases. This is the modern recommended approach for npm publishing from GitHub Actions, eliminating the need for long-lived npm tokens.

Changes

  • Release workflow: Removed NPM_TOKEN environment variable since trusted publishing uses OIDC tokens automatically
  • Security verification: Added npm audit signatures step to verify dependency provenance
  • Package config: Enabled provenance: true in publishConfig for explicit attestation documentation

Setup Required

Before merging, the trusted publisher must be configured on npmjs.com (already completed):

  • Organization: TxnLab
  • Repository: haystack-js
  • Workflow: release.yml

Test Plan

  • Merge PR to main
  • Verify release workflow completes without EOTP errors
  • Confirm package publishes to npm with provenance badge
  • Verify GitHub release is created and CHANGELOG.md is updated

@drichar
fix(ci): switch to npm trusted publishing for automated releases
15cfccb 
Replace NPM_TOKEN-based authentication with OIDC trusted publishing,
which bypasses 2FA requirements and eliminates the need for long-lived
npm tokens. This is the recommended modern approach for npm publishing
from GitHub Actions.

Changes:
- Remove NPM_TOKEN from release workflow environment
- Add npm audit signatures step for security verification
- Enable provenance in package.json publishConfig
@drichar drichar merged commit 4da7636 into main Jan 14, 2026
1 check passed
github-actions bot added a commit that referenced this pull request Jan 14, 2026
@github-actions
chore(release): 2.0.1 [skip ci]
794ae5c 
## [2.0.1](v2.0.0...v2.0.1) (2026-01-14)

### Bug Fixes

* **ci:** switch to npm trusted publishing for automated releases ([#1](#1)) ([4da7636](4da7636))
@drichar drichar mentioned this pull request Jan 14, 2026
Merged
3 tasks
@drichar drichar deleted the fix/npm-trusted-publishing branch January 14, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drichar