Skip to content

ci: migrate to npm trusted publishing #1967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
just-jeb merged 1 commit into from
Dec 17, 2025
Merged

ci: migrate to npm trusted publishing #1967

just-jeb merged 1 commit into from
Dec 17, 2025

Conversation

@just-jeb
Copy link
Owner

@just-jeb just-jeb commented Dec 17, 2025

PR Checklist

Please check if your PR fulfills the following requirements:

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

[ ] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[x] CI related changes
[ ] Documentation content changes
[ ] Other... Please describe:

What is the current behavior?

CI uses NPM_TOKEN secret for publishing packages to npm. Classic tokens have been revoked by npm and granular tokens expire every 90 days.

Issue Number: N/A

What is the new behavior?

Uses npm Trusted Publishing with OpenID Connect (OIDC) - no tokens needed, more secure.

Does this PR introduce a breaking change?

[ ] Yes
[x] No

Other information

Prerequisites before merging:
Set up Trusted Publisher on npm for each package at https://www.npmjs.com/package/@angular-builders/<pkg>/access:

  • Workflow: ci.yml
  • Organization: just-jeb
  • Repository: angular-builders

After merging, the NPM_TOKEN secret can be deleted from GitHub.

@just-jeb
ci: migrate to npm trusted publishing
be14d76 
- Add id-token: write permission for OIDC
- Remove NPM_TOKEN dependency
- Add --provenance flag to lerna publish

This enables npm's trusted publishing using OpenID Connect,
eliminating the need for long-lived npm tokens.
@just-jeb just-jeb merged commit 57ddc0c into master Dec 17, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@just-jeb