Skip to content

chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows #30787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 17, 2025
Merged

chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows #30787

merged 2 commits into from
Nov 17, 2025
+130 −8

Conversation

@gnbm
Copy link
Contributor

@gnbm gnbm commented Nov 17, 2025

Issue number: resolves #

What is the current behavior?

  • Publishing to npm is failing due to the changes to move to Trusted Publishers, since it seems that they still don't support reusable workflows, as mentioned here
  • The action to which we grant permissions on npm needs to follow a strict path location .github/workflows/ in your repository.

What is the new behavior?

  • Fixed permissions mismatch by applying the orchestrator method for npm publish:
    release-orchestrator.yml (contents: read, id-token: write)

    ├─→ nightly.yml (contents: read, id-token: write)
    │ └─→ release-ionic.yml (contents: read, id-token: write)
    │ └─→ publish-npm.yml (contents: read, id-token: write) ✅

    ├─→ dev-build.yml (contents: read, id-token: write)
    │ └─→ release-ionic.yml (contents: read, id-token: write)
    │ └─→ publish-npm.yml (contents: read, id-token: write) ✅

    └─→ release.yml (contents: read, id-token: write)
    └─→ release-ionic.yml (contents: read, id-token: write)
    └─→ publish-npm.yml (contents: read, id-token: write) ✅

  • release-orchestrator.yml calls three workflows: nightly.yml, dev-build.yml, and release.yml.

  • All three call release-ionic.yml, which handles publishing multiple packages.

  • release-ionic.yml calls publish-npm.yml multiple times (once per package).

  • All workflows have contents: read and id-token: write permissions.

  • publish-npm.yml is in .github/workflows/, which satisfies npm Trusted Publishers requirements.

  • This shows that publish-npm.yml is reachable through all three release paths, and moving it to .github/workflows/ ensures npm Trusted Publishers can authenticate it correctly.

Does this introduce a breaking change?

  • Yes
  • No
  • Run pipelines after merge

Other information

  • The workflow release-orchestrator.yml needs to be the one set up in the npm package settings for the Trusted Publishers

@vercel
Copy link

vercel bot commented Nov 17, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
ionic-framework Ready Ready Preview Comment Nov 17, 2025 5:05pm

@gnbm gnbm changed the title bug(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows fix(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm changed the title fix(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows fix(npm): attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm marked this pull request as ready for review November 17, 2025 17:11
@gnbm gnbm requested a review from a team as a code owner November 17, 2025 17:11
@gnbm gnbm requested a review from thetaPC November 17, 2025 17:11
@gnbm gnbm enabled auto-merge November 17, 2025 17:21
@gnbm gnbm requested review from OS-jacobbell and ShaneK November 17, 2025 17:22
@gnbm gnbm disabled auto-merge November 17, 2025 17:27
@ShaneK ShaneK changed the title fix(npm): attempt to fix issue with Trusted Publishers when using reusable workflows chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm added this pull request to the merge queue Nov 17, 2025
Merged via the queue into main with commit ecc2911 Nov 17, 2025
52 of 54 checks passed
@gnbm gnbm deleted the gm/release-action-fix1 branch November 17, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShaneK ShaneK ShaneK approved these changes

@OS-jacobbell OS-jacobbell OS-jacobbell approved these changes

@thetaPC thetaPC Awaiting requested review from thetaPC thetaPC is a code owner automatically assigned from ionic-team/framework

Assignees

No one assigned

Labels

github_actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gnbm @ShaneK @OS-jacobbell