From 8d1cca3a5c55dd4ee85bcb26182a5efc39e32e70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Garc=C3=ADa?= Date: Wed, 26 Nov 2025 16:18:01 +0100 Subject: [PATCH 1/2] Revert "refactor: move to OIDC publications (#89)" This reverts commit 2b084178ead08edd0459d0ed9bd601dff67ad955. --- .github/workflows/pkg-release.yml | 34 ------------------------------- .github/workflows/publish.yml | 30 +++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 34 deletions(-) delete mode 100644 .github/workflows/pkg-release.yml create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/pkg-release.yml b/.github/workflows/pkg-release.yml deleted file mode 100644 index 7935ce2..0000000 --- a/.github/workflows/pkg-release.yml +++ /dev/null @@ -1,34 +0,0 @@ -# This filename is associated with the respective NPM package's trusted publish config. -# If required, update both together. - -name: Package Release - -on: - push: - tags: - - 'v*.*.*' - - workflow_dispatch: - inputs: - tag: - description: 'Tag to publish (e.g. v1.2.3 or v1.2.3-rc.1)' - required: true - type: string - -permissions: - contents: read - id-token: write # required for OIDC-based publishing - -jobs: - call-npm-release: - uses: postmanlabs/gh-security-scan-workflow/.github/workflows/security-npm-publish.yml@main - - with: - tag: ${{ github.ref_type == 'tag' && github.ref_name || inputs.tag }} - node_version: '22' - package_path: 'dist' - skip_tests: true - dry_run: ${{ github.event_name == 'workflow_dispatch' }} - - secrets: - POSTMAN_NPM_TOKEN: ${{ secrets.POSTMAN_NPM_TOKEN }} # read-only granular token \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..0b0059f --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,30 @@ +name: Publish to npm + +on: + push: + tags: + - 'v*' + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: npm ci + + - name: Publish to npm + run: npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 333993a796e8efe1d2c6b48b557f89368b8cacf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Garc=C3=ADa?= Date: Wed, 26 Nov 2025 16:23:42 +0100 Subject: [PATCH 2/2] refactor: move to OIDC publications --- .../workflows/{publish.yml => pkg-release.yml} | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) rename .github/workflows/{publish.yml => pkg-release.yml} (61%) diff --git a/.github/workflows/publish.yml b/.github/workflows/pkg-release.yml similarity index 61% rename from .github/workflows/publish.yml rename to .github/workflows/pkg-release.yml index 0b0059f..07b1ae1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/pkg-release.yml @@ -5,26 +5,28 @@ on: tags: - 'v*' +permissions: + contents: read + id-token: write + jobs: publish: runs-on: ubuntu-latest - permissions: - contents: read - id-token: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: - node-version: '22' + node-version: '24' registry-url: 'https://registry.npmjs.org' - name: Install dependencies run: npm ci - name: Publish to npm + if: github.ref_type == 'tag' run: npm publish --provenance --access public env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.POSTMAN_NPM_TOKEN }}