Skip to content

feat: enable npm Trusted Publishers #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicknisi merged 1 commit into from
Dec 19, 2025
Merged

feat: enable npm Trusted Publishers #346

nicknisi merged 1 commit into from
Dec 19, 2025

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Dec 19, 2025

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

  • Update Node version to 24 (required for npm 11+)
  • Add id-token: write permission for OIDC authentication
  • Add --provenance flag to publish commands
  • Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

  • More secure authentication using OIDC
  • Cryptographic provenance for published packages
  • No need to manage NPM_TOKEN secrets

@nicknisi nicknisi requested a review from a team as a code owner December 19, 2025 15:43
@nicknisi nicknisi requested a review from atainter December 19, 2025 15:43
@nicknisi nicknisi merged commit 29b3c78 into main Dec 19, 2025
5 checks passed
@nicknisi nicknisi deleted the nicknisi/trusted-publisher branch December 19, 2025 15:59
@nicknisi nicknisi mentioned this pull request Jan 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gcarvelli gcarvelli gcarvelli approved these changes

@atainter atainter Awaiting requested review from atainter atainter is a code owner automatically assigned from workos/typescript

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicknisi @gcarvelli