Skip to content

ci: hard enforce tokenless OIDC publish#10

Merged
drewstone merged 1 commit into
mainfrom
fix/oidc-tokenless-hardening
Mar 4, 2026
Merged

ci: hard enforce tokenless OIDC publish#10
drewstone merged 1 commit into
mainfrom
fix/oidc-tokenless-hardening

Conversation

@drewstone

Copy link
Copy Markdown
Contributor

Summary

  • set job-level NODE_AUTH_TOKEN to empty to prevent token-based npm auth
  • remove setup-node registry-url auth path

This enforces OIDC-only publish even if org/repo secrets still define npm tokens.

@drewstone drewstone merged commit 9ca19cd into main Mar 4, 2026
3 checks passed
@drewstone drewstone deleted the fix/oidc-tokenless-hardening branch March 4, 2026 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant