fix: use manual OIDC token exchange for npm trusted publishing#1084
Merged
trim21 merged 1 commit intojesec:masterfrom Apr 5, 2026
Merged
fix: use manual OIDC token exchange for npm trusted publishing#1084trim21 merged 1 commit intojesec:masterfrom
trim21 merged 1 commit intojesec:masterfrom
Conversation
Trusted publishing requires npm CLI >= 11.5.1 for built-in OIDC support, which is unavailable with Node 22's bundled npm 10.x. Instead, use actions/github-script to obtain the OIDC token from GitHub Actions, exchange it with npm registry API for a short-lived publish token, and use that token with pnpm publish. Also removes unnecessary actions/checkout from publish-rolling.yml npm-publish job, fixing the 'No bin file found' warning. Affects both release.yml (flood) and publish-rolling.yml (@jesec/flood).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1084 +/- ##
==========================================
- Coverage 22.26% 22.24% -0.02%
==========================================
Files 412 412
Lines 27575 27575
Branches 1291 1286 -5
==========================================
- Hits 6139 6135 -4
- Misses 21138 21142 +4
Partials 298 298 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
marcinmajsc
added a commit
to marcinmajsc/flood
that referenced
this pull request
Apr 8, 2026
* feat: bind to `::` for dual-stack IPv4+IPv6 support in Docker (jesec#1063) * Initial plan * feat: support IPv6 in Docker containers by changing default host to :: Co-authored-by: trim21 <13553903+trim21@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trim21 <13553903+trim21@users.noreply.github.com> * fix(qbittorrent): show seeding ETA instead of ∞ (jesec#1060) * chore(geoip): update GeoLite2-Country.mmdb (jesec#1058) Co-authored-by: trim21 <13553903+trim21@users.noreply.github.com> Co-authored-by: Trim21 <trim21.me@gmail.com> * chore: update cron schedule for update-mmdb workflow (jesec#1066) * build(deps-dev): bump fastify from 5.7.3 to 5.8.3 (jesec#1068) Bumps [fastify](https://github.com/fastify/fastify) from 5.7.3 to 5.8.3. - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.7.3...v5.8.3) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.8.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: query string token authentication for torrent content downloads (jesec#1070) * release: 4.13.1 (jesec#1071) * build(deps-dev): bump lodash from 4.17.23 to 4.18.1 (jesec#1072) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * i18n: new translations (jesec#1057) Co-authored-by: Crowdin Bot <support+bot@crowdin.com> * chore(geoip): update GeoLite2-Country.mmdb (jesec#1067) Co-authored-by: trim21 <13553903+trim21@users.noreply.github.com> * fix: add `--no-git-checks` to pnpm publish for tag-based releases (jesec#1073) * fix: mount point drag-and-drop reorder not persisted on save (jesec#1056) * release: 4.13.2 (jesec#1074) * fix: remove prepare script before packing npm tarball (jesec#1075) The prepare script runs husky which is not available in CI publish environment. Use jq to strip it from package.json before pnpm pack. * release: 4.13.3 (jesec#1076) * fix: remove unnecessary checkout in npm-publish job (jesec#1077) The checkout causes 'No bin file found at dist/index.js' warning because npm reads the local package.json which references dist/ that only exists inside the tarball. Publishing a tarball does not require a repo checkout. * release: 4.13.4 (jesec#1078) * fix: specify pnpm version in npm-publish job (jesec#1079) After removing checkout in jesec#1077, pnpm/action-setup can no longer read packageManager from package.json. Explicitly specify version. * release: 4.13.5 (jesec#1080) * fix: use npm 11 for trusted publishing in npm-publish job (jesec#1081) Trusted publishing requires npm CLI >= 11.5.1 for OIDC support. pnpm does not support trusted publishing OIDC flow, and the empty NODE_AUTH_TOKEN caused ENEEDAUTH instead of falling through to OIDC. Switch to npm publish directly and install npm 11 globally. * release: 4.13.6 (jesec#1082) * fix: use manual OIDC token exchange for npm trusted publishing (jesec#1084) * release: 4.13.7 (jesec#1085) * fix: use proper MIME types for torrent content download (jesec#1086) Replace manual file extension switch with mime-types library lookup to return correct Content-Type headers (e.g. 'video/mp4' instead of '.mp4'). Falls back to 'application/octet-stream' for unknown types. * fix: prevent SKIPPED summary jobs from bypassing required checks (jesec#1088) * fix: download torrent files with proper HTTP Range support using `@fastify/send` (jesec#1089) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: trim21 <13553903+trim21@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Trim21 <trim21.me@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Crowdin Bot <support+bot@crowdin.com> Co-authored-by: Kasra Fakhari <kasraf1373@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.