Skip to content

fix: switch npm publishing to GitHub OIDC trusted publisher#241

Merged
tnschneider merged 2 commits into
mainfrom
ci/oidc-trusted-publisher
Jun 24, 2026
Merged

fix: switch npm publishing to GitHub OIDC trusted publisher#241
tnschneider merged 2 commits into
mainfrom
ci/oidc-trusted-publisher

Conversation

@mcarey1590

Copy link
Copy Markdown
Contributor

Summary

  • Switch npm publishing from a long-lived FIREBEND_NPM_KEY token to GitHub Actions OIDC trusted publishing.
  • Add permissions: id-token: write to the release job.
  • Replace .npmrc auth-token setup with actions/setup-node@v4 and registry-url.
  • Add --provenance to npm publish for verifiable provenance attestation.
  • Update actions/checkout to v4 and pin ad-m/github-push-action to v0.8.0.
  • Modernize build-and-test.yml with actions/checkout@v4 and actions/setup-node@v4 (node 20).

Test plan

  • Merge and verify the next release publishes to npm successfully.

Generated with Devin

mcarey1590 and others added 2 commits June 24, 2026 14:20
- Replace the long-lived FIREBEND_NPM_KEY token with GitHub Actions
  OIDC trusted publishing:
  - Add `permissions: id-token: write` to the release job.
  - Remove the `.npmrc` auth-token step and `npm whoami`.
  - Use `actions/setup-node@v4` with `registry-url` configured.
- Add `--provenance` to `npm publish` so packages publish with
  verifiable provenance attestation.
- Update `actions/checkout@v2` to `actions/checkout@v4` and pin
  `ad-m/github-push-action` to `v0.8.0` instead of `master`.

Generated with [Devin](https://devin.ai)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Update actions/checkout from v2 to v4.
- Add actions/setup-node@v4 with node-version 20 to match the
  release workflow and ensure consistent Node runtime.

Generated with [Devin](https://devin.ai)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@mcarey1590 mcarey1590 changed the title ci: switch npm publishing to GitHub OIDC trusted publisher fix: switch npm publishing to GitHub OIDC trusted publisher Jun 24, 2026
@tnschneider tnschneider merged commit f76cd85 into main Jun 24, 2026
1 check passed
@tnschneider tnschneider deleted the ci/oidc-trusted-publisher branch June 24, 2026 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants