Skip to content

chore: configure npm trusted publishing via OIDC#147

Merged
alZyad merged 1 commit into
mainfrom
chore/configure-trusted-publishing
May 12, 2026
Merged

chore: configure npm trusted publishing via OIDC#147
alZyad merged 1 commit into
mainfrom
chore/configure-trusted-publishing

Conversation

@alZyad
Copy link
Copy Markdown
Contributor

@alZyad alZyad commented May 12, 2026
edited
Loading

Summary

  • Switch npm publish workflow from NPM_TOKEN to GitHub Actions trusted publishing (OIDC)
  • Add id-token: write permission, configure registry-url on setup-node, upgrade npm CLI to support OIDC
  • Drop the .npmrc token step — provenance attestations are now generated automatically

After first successful publish, revoke the NPM_TOKEN repo secret.

✅ Manual config at https://www.npmjs.com/package/@bam.tech/eslint-plugin/access already done

Test plan

  • Tag a release and confirm the workflow publishes successfully without NPM_TOKEN
  • Verify provenance attestation appears on the published package on npmjs.com

🤖 Generated with Claude Code

@alZyad @claude
chore: configure npm trusted publishing via OIDC
4ee8a43 
Switch publish workflow from NPM_TOKEN to GitHub Actions trusted
publishing. Adds id-token: write permission, sets registry-url on
setup-node, upgrades npm to a version that supports OIDC, and removes
the token-based .npmrc step. Provenance attestations are now generated
automatically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alZyad alZyad merged commit d2c1fa9 into main May 12, 2026
8 checks passed
@alZyad alZyad deleted the chore/configure-trusted-publishing branch May 12, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EliottGand EliottGand EliottGand approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alZyad @EliottGand