Skip to content

switch to trusted publishing for npmjs.com #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

switch to trusted publishing for npmjs.com #34

wants to merge 1 commit into from

Conversation

@Shegox
Copy link

@Shegox Shegox commented Aug 5, 2025

This Pull Request updates the release workflow to utilize npmjs.com's trusted publishing.

As trusted publishing requires npm CLI version >=11.5.1, we manually install the latest version since the default installed npm version is insufficient.

This change eliminates the need for a static NPM_TOKEN secret, instead using short-lived OIDC identity tokens for authentication and package upload.

The necessary setup on npmjs.com has already been completed.

After this pull request is merged I will remove and invalidate the current static NPM_TOKEN secret.

grafik

pavelkornev
pavelkornev reviewed Aug 20, 2025
View reviewed changes
.github/workflows/release.yml
Comment on lines +20 to +21
- name: Install latest npm cli
run: npm install -g npm@latest
Copy link
Member

@pavelkornev pavelkornev Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this?

Copy link
Author

@Shegox Shegox Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As trusted publishing requires npm CLI version >=11.5.1, we manually install the latest version since the default installed npm version is insufficient.

In the latest workflow run we can see that by default the npm cli version 10.8.2 is used, which does not support trusted publishing.

@Shegox
Copy link
Author

Shegox commented Sep 26, 2025

FYI: The NPM_TOKEN has been revoked within npmjs.com and removed from the GitHub Actions Environment.

If you want to publish a new version you must use trusted publising.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pavelkornev pavelkornev pavelkornev left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shegox @pavelkornev