From 6eb3ca537d2e999d966298ae55b01ce138df3027 Mon Sep 17 00:00:00 2001 From: Fern Support <126544928+fern-support@users.noreply.github.com> Date: Thu, 30 Oct 2025 15:53:14 -0400 Subject: [PATCH] chore: update npm publishing to use OIDC authentication This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices. Changes: - Added 'permissions: id-token: write' to publish job - Removed NPM_TOKEN environment variable from publish job - Removed 'npm config set' command that configured static token authentication - Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function - Preserved all existing jobs, steps, conditions, and INTERCOM_API_KEY environment variable --- .github/workflows/ci.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b1950e5..fc8979c7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,6 +38,8 @@ jobs: needs: [ compile, test ] if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout repo uses: actions/checkout@v3 @@ -50,13 +52,13 @@ jobs: - name: Publish to npm run: | - npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN} + publish() { + npx -y npm@latest publish "$@" + } if [[ ${GITHUB_REF} == *alpha* ]]; then - npm publish --access public --tag alpha + publish --access public --tag alpha elif [[ ${GITHUB_REF} == *beta* ]]; then - npm publish --access public --tag beta + publish --access public --tag beta else - npm publish --access public - fi - env: - NPM_TOKEN: ${{ secrets.FERN_NPM_TOKEN }} \ No newline at end of file + publish --access public + fi \ No newline at end of file