build: use trusted publishing to publish to NPM#1021
Merged
intcreator merged 1 commit intomainfrom Oct 30, 2025
Merged
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR migrates the release workflow from secret-based npm authentication to npm's trusted publishing feature using OpenID Connect (OIDC), enhancing security by eliminating the need for long-lived authentication tokens.
- Adds OIDC permissions (
id-token: write) required for trusted publishing - Removes
NPM_TOKENsecret dependency from the release step
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:39
- The
setup-nodeaction requires theregistry-urlparameter to be set for npm trusted publishing to work. Addregistry-url: 'https://registry.npmjs.org'to thewithsection to enable provenance and trusted publishing support.
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: 'lts/*'
cache: npm
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Nov 6, 2025
intcreator
added a commit
that referenced
this pull request
Nov 6, 2025
<!--- Provide a general summary of your changes in the Title above (following the Conventional Commits standard) --> <!-- More infos: https://www.conventionalcommits.org --> <!-- Commit types: https://github.com/insurgent-lab/conventional-changelog-preset#commit-types--> ## Description <!--- Describe your changes in detail --> see #1021. now I'm using a GitHub app from the kelektiv org to generate tokens during the deploy process ## Related Issue <!--- This project only accepts pull requests related to open issues --> <!--- If suggesting a new feature or change, please discuss it in an issue first --> <!--- If fixing a bug, there should be an issue describing it with steps to reproduce --> <!--- Please link to the issue here: --> ## Motivation and Context <!--- Why is this change required? What problem does it solve? --> ## How Has This Been Tested? <!--- Please describe in detail how you tested your changes. --> <!--- Include details of your testing environment, and the tests you ran to --> <!--- see how your change affects other areas of the code, etc. --> ## Screenshots (if appropriate): ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] My code follows the code style of this project. - [ ] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly. - [ ] I have added tests to cover my changes. - [ ] All new and existing tests passed. - [ ] If my change introduces a breaking change, I have added a `!` after the type/scope in the title (see the Conventional Commits standard).
node-cron-release bot
pushed a commit
that referenced
this pull request
Nov 6, 2025
## [4.3.4](v4.3.3...v4.3.4) (2025-11-06) ### 🐛 Bug Fixes * catch errors in async onTick functions ([#1013](#1013)) ([2ac3001](2ac3001)) ### 🛠 Builds * add GitHub app token to use for release ([#1024](#1024)) ([61b54f6](61b54f6)) * remove chai since we aren't using it ([#1012](#1012)) ([cf14205](cf14205)) * switch to using built in GitHub token ([#1022](#1022)) ([d24b3ea](d24b3ea)) * update release config to use trusted publishing ([#1023](#1023)) ([0cb3ff6](0cb3ff6)), closes [#1017](#1017) [#1018](#1018) * use trusted publishing to publish to NPM ([#1021](#1021)) ([44f14f3](44f14f3)) ### ♻️ Chores * **action:** update actions/checkout action to v4.3.0 ([d8913b8](d8913b8)) * **action:** update actions/checkout action to v5 ([#1005](#1005)) ([2e2a021](2e2a021)) * **action:** update actions/setup-node action to v5 ([#1009](#1009)) ([4a7f1f3](4a7f1f3)) * **action:** update amannn/action-semantic-pull-request action to v6 ([#1006](#1006)) ([832ca6e](832ca6e)) * **action:** update github/codeql-action action to v3.29.11 ([ec90183](ec90183)) * **action:** update github/codeql-action action to v3.29.8 ([842e3e0](842e3e0)) * **action:** update github/codeql-action action to v3.30.3 ([#1010](#1010)) ([b195a01](b195a01)) * **action:** update github/codeql-action action to v3.30.4 ([45a48b8](45a48b8)) * **action:** update github/codeql-action action to v3.30.7 ([5de5bfc](5de5bfc)) * **action:** update github/codeql-action action to v3.30.8 ([4df56a5](4df56a5)) * **action:** update github/codeql-action action to v3.31.0 ([14d7498](14d7498)) * **action:** update ossf/scorecard-action action to v2.4.3 ([e8a33a0](e8a33a0)) * **action:** update step-security/harden-runner action to v2.13.1 ([2a4a2c2](2a4a2c2)) * **deps:** lock file maintenance ([1de94a3](1de94a3)) * **deps:** lock file maintenance ([420c4b1](420c4b1)) * **deps:** lock file maintenance ([ac128a2](ac128a2)) * **deps:** lock file maintenance ([573faca](573faca)) * **deps:** lock file maintenance ([bbb3ab2](bbb3ab2)) * **deps:** lock file maintenance ([fd06770](fd06770)) * **deps:** lock file maintenance ([3c5769e](3c5769e)) * **deps:** lock file maintenance ([51e2121](51e2121)) * **deps:** lock file maintenance ([daf30a6](daf30a6)) * **deps:** lock file maintenance ([a60f049](a60f049)) * **deps:** lock file maintenance ([555cbbf](555cbbf)) * **deps:** lock file maintenance ([a330852](a330852)) * **deps:** lock file maintenance ([90fbb48](90fbb48)) * **deps:** update dependency [@eslint](https://github.com/eslint)/js to v9.34.0 ([cdf3a2d](cdf3a2d)) * **deps:** update dependency [@eslint](https://github.com/eslint)/js to v9.35.0 ([#1011](#1011)) ([64c84bd](64c84bd)) * **deps:** update dependency [@eslint](https://github.com/eslint)/js to v9.36.0 ([23e0fbc](23e0fbc)) * **deps:** update dependency [@eslint](https://github.com/eslint)/js to v9.37.0 ([3a20922](3a20922)) * **deps:** update dependency [@eslint](https://github.com/eslint)/js to v9.38.0 ([#1020](#1020)) ([b853a38](b853a38)) * **deps:** update dependency [@semantic-release](https://github.com/semantic-release)/github to v11.0.4 ([#1007](#1007)) ([d04396d](d04396d)) * **deps:** update dependency [@swc](https://github.com/swc)/core to v1.13.20 ([#1019](#1019)) ([c906a92](c906a92)) * **deps:** update dependency [@swc](https://github.com/swc)/core to v1.13.3 ([461e602](461e602)) * **deps:** update dependency [@swc](https://github.com/swc)/core to v1.13.4 ([7665c00](7665c00)) * **deps:** update dependency [@swc](https://github.com/swc)/core to v1.13.5 ([5b74613](5b74613)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.17.0 ([40603d9](40603d9)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.17.2 ([cce46b8](cce46b8)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.18.1 ([9e07aab](9e07aab)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.18.12 ([3d8843d](3d8843d)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.18.6 ([438addc](438addc)) * **deps:** update dependency [@types](https://github.com/types)/node to v22.18.8 ([18f6c48](18f6c48)) * **deps:** update dependency chai to v5.3.3 ([#1008](#1008)) ([a308ecb](a308ecb)) * **deps:** update dependency jest to v30.2.0 ([bad0c07](bad0c07)) * **deps:** update dependency typescript to v5.9.2 ([411a2da](411a2da)) * **deps:** update dependency typescript to v5.9.3 ([2251f01](2251f01)) * **deps:** update linters ([26069e5](26069e5)) * **deps:** update semantic-release related packages ([4c56e18](4c56e18)) * **deps:** update semantic-release related packages ([bafbf3b](bafbf3b)) * **deps:** update semantic-release related packages (major) ([#1015](#1015)) ([7b06e1d](7b06e1d)) * **deps:** update tests (major) ([#998](#998)) ([99670af](99670af))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
due to new security requirements from GitHub, I decided to migrate our authentication with NPM to trusted publishing.
Related Issue
Motivation and Context
I don't want to rotate the NPM token every 90 days
How Has This Been Tested?
I will manually verify that the new publish process works
Screenshots (if appropriate):
Types of changes
Checklist:
!after the type/scope in the title (see the Conventional Commits standard).