Skip to content

Migrate release workflow to OIDC with provenance#370

Merged
jaredwray merged 3 commits into
mainfrom
claude/eloquent-turing-bQet8
May 24, 2026
Merged

Migrate release workflow to OIDC with provenance#370
jaredwray merged 3 commits into
mainfrom
claude/eloquent-turing-bQet8

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Summary

  • Remove NPM_TOKEN secret usage (pnpm config set and NODE_AUTH_TOKEN env var)
  • Add registry-url to setup-node for proper OIDC-based npm publishing
  • Add --access public and --no-git-checks flags to publish step
  • Remove pnpm cache from setup-node

The id-token: write permission combined with --provenance enables trusted publishing via OIDC without stored npm credentials.

Note: The ecto package must be configured for trusted publishing on npmjs.com to allow OIDC-based authentication from this repository.

Test plan

  • Verify trusted publishing is configured for the ecto package on npmjs.com
  • Trigger a release and confirm the package publishes successfully with provenance

https://claude.ai/code/session_01SY3mQSBYHYHEELdGjdBUPx


Generated by Claude Code

claude added 2 commits May 24, 2026 22:35
Remove NPM_TOKEN secret usage and configure setup-node with registry-url
for OIDC-based npm publishing. The id-token: write permission enables
provenance attestation and trusted publishing without stored credentials.

https://claude.ai/code/session_01SY3mQSBYHYHEELdGjdBUPx
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@codecov

codecov Bot commented May 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (7f3b25e) to head (658e90e).

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #370   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            9         9           
  Lines          413       413           
  Branches        96        96           
=========================================
  Hits           413       413           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 62e5a742f6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/release.yaml
setup-node with registry-url writes _authToken=${NODE_AUTH_TOKEN} to
.npmrc, which causes pnpm <11.2.0 to fail with 404 when the env var
is unset. Since OIDC auth is handled by --provenance + id-token:write,
registry-url is not needed — the default registry is already npmjs.org.

https://claude.ai/code/session_01SY3mQSBYHYHEELdGjdBUPx
@jaredwray jaredwray merged commit 8da5911 into main May 24, 2026
9 checks passed
@jaredwray jaredwray deleted the claude/eloquent-turing-bQet8 branch May 24, 2026 22:46
@jaredwray jaredwray mentioned this pull request May 25, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants