Skip to content

chore: Add trusted publisher #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tiwarishubham635 merged 4 commits into from
Dec 8, 2025
Merged

chore: Add trusted publisher #299

tiwarishubham635 merged 4 commits into from
Dec 8, 2025

Conversation

@tiwarishubham635
Copy link
Contributor

@tiwarishubham635 tiwarishubham635 commented Dec 8, 2025

Fixes

Following the recent revocation of NPM classic tokens, this PR migrates the release process to use trusted publishers. Documentation: https://docs.npmjs.com/trusted-publishers
Since we are releasing using semantic-release which internally handles npm publish we are setting provenance as true explicitly.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket, or create a GitHub Issue in this repository.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 8, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 8, 2025

Please retry analysis of this Pull-Request directly on SonarQube Cloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 8, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the NPM publishing process from classic tokens to trusted publishers using OpenID Connect (OIDC) authentication, following NPM's recent revocation of classic tokens. The changes configure both the semantic-release plugin and GitHub Actions workflow to support provenance generation with OIDC.

Key changes:

  • Added OIDC permissions and provenance configuration to enable trusted publishing
  • Updated Node.js version from 18.x to 20 with npm@latest
  • Replaced NPM_TOKEN secret with OIDC-based authentication using NPM_CONFIG_PROVENANCE

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.releaserc.json Configured @semantic-release/npm plugin with provenance enabled for attestation generation
.github/workflows/release.yml Added OIDC permissions (id-token, contents), updated Node.js to v20, removed NPM_TOKEN in favor of NPM_CONFIG_PROVENANCE environment variable

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tiwarishubham635 tiwarishubham635 merged commit a544aea into main Dec 8, 2025
17 checks passed
@tiwarishubham635 tiwarishubham635 deleted the add_oidc branch December 8, 2025 06:30
twilio-dx pushed a commit that referenced this pull request Dec 8, 2025
@semantic-release-bot
chore(release): set package.json to 8.2.4 [skip ci]
76e2267 
### [8.2.4](8.2.3...8.2.4) (2025-12-08)

### Library - Fixes

* Add edge parameter support for regional authentication ([#298](#298)) ([9f023f4](9f023f4))
* Regional Endpoint Processing ([#296](#296)) ([b3786ca](b3786ca)), closes [#297](#297)

### Library - Chores

* add npm token for semantic-release authentication ([e13b03c](e13b03c))
* Add trusted publisher ([#299](#299)) ([a544aea](a544aea))
* remove registry url ([6a1c488](6a1c488))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kridai kridai kridai approved these changes

@shrutiburman shrutiburman shrutiburman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tiwarishubham635 @kridai @shrutiburman