.github/actions/npm-publish/action.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,8 +3,6 @@ name: Publish release to npm @@
     inputs:
       node-version:
         required: true
-      npm-token:
-        required: true
       version:
         required: true
       require-build:
@@ Expand All / @@ -26,6 +24,10 @@ runs: @@
             cache: 'npm'
             registry-url: 'https://registry.npmjs.org'
+        - name: Update npm to version 11
+          shell: bash
+          run: npm install -g npm@11
         - name: Install dependencies
           shell: bash
           run: npm ci --include=dev
@@ Expand All / @@ -46,7 +48,6 @@ runs: @@
             else
               TAG="latest"
             fi
-            npm publish --provenance --tag $TAG
+            npm publish --tag $TAG
           env:
-            NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
             VERSION: ${{ inputs.version }}

.github/workflows/npm-release.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,14 +15,15 @@ on: @@
         secrets:
           github-token:
             required: true
-          npm-token:
-            required: true
     jobs:
       release:
         if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
         runs-on: ubuntu-latest
         environment: release
+        permissions:
+          contents: write
+          id-token: write
         steps:
           # Checkout the code
@@ Expand Down Expand Up / @@ -66,7 +67,6 @@ jobs: @@
               node-version: ${{ inputs.node-version }}
               require-build: ${{ inputs.require-build }}
               version: ${{ steps.get_version.outputs.version }}
-              npm-token: ${{ secrets.npm-token }}
               release-directory: ${{ inputs.release-directory }}
           # Create a release for the tag
@@ Expand Down @@

.github/workflows/release.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,7 @@ on: @@
     permissions:
       contents: write
-      id-token: write # For publishing to npm using --provenance
+      id-token: write # For trusted publishing to npm
     ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
     ### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `npm-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
@@ Expand Down Expand Up / @@ -36,5 +36,4 @@ jobs: @@
           require-build: true
           release-directory: './dist/auth0-angular'
         secrets:
-          npm-token: ${{ secrets.NPM_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}

feat: enable trusted publishing for npm packages #769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Jan 13, 2026

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,8 +3,6 @@ name: Publish release to npm @@
     inputs:
       node-version:
         required: true
-      npm-token:
-        required: true
       version:
         required: true
       require-build:
@@ Expand All / @@ -26,6 +24,10 @@ runs: @@
             cache: 'npm'
             registry-url: 'https://registry.npmjs.org'
+        - name: Update npm to version 11
+          shell: bash
+          run: npm install -g npm@11
         - name: Install dependencies
           shell: bash
           run: npm ci --include=dev
@@ Expand All / @@ -46,7 +48,6 @@ runs: @@
             else
               TAG="latest"
             fi
-            npm publish --provenance --tag $TAG
+            npm publish --tag $TAG
           env:
-            NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
             VERSION: ${{ inputs.version }}

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,14 +15,15 @@ on: @@
         secrets:
           github-token:
             required: true
-          npm-token:
-            required: true
     jobs:
       release:
         if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
         runs-on: ubuntu-latest
         environment: release
+        permissions:
+          contents: write
+          id-token: write
         steps:
           # Checkout the code
@@ Expand Down Expand Up / @@ -66,7 +67,6 @@ jobs: @@
               node-version: ${{ inputs.node-version }}
               require-build: ${{ inputs.require-build }}
               version: ${{ steps.get_version.outputs.version }}
-              npm-token: ${{ secrets.npm-token }}
               release-directory: ${{ inputs.release-directory }}
           # Create a release for the tag
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,7 @@ on: @@
     permissions:
       contents: write
-      id-token: write # For publishing to npm using --provenance
+      id-token: write # For trusted publishing to npm
     ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
     ### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `npm-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
@@ Expand Down Expand Up / @@ -36,5 +36,4 @@ jobs: @@
           require-build: true
           release-directory: './dist/auth0-angular'
         secrets:
-          npm-token: ${{ secrets.NPM_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback