From 5912cc36b8ec2de0c4ea16486b829e9518dd98e9 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Tue, 24 Mar 2026 07:19:34 -0700 Subject: [PATCH] Adopt npm trusted publishing in CI --- .github/workflows/CI.yml | 17 +++++++---------- README.md | 2 +- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index b1fac834..ac597a9c 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -5,8 +5,7 @@ env: MACOSX_DEPLOYMENT_TARGET: '10.13' permissions: - contents: write - id-token: write + contents: read 'on': push: branches: @@ -138,12 +137,16 @@ jobs: if: github.ref == 'refs/heads/main' needs: - test + permissions: + contents: read + id-token: write steps: - uses: actions/checkout@v4 - name: Setup node uses: actions/setup-node@v4 with: - node-version: 20 + node-version: 24 + registry-url: https://registry.npmjs.org - name: Install dependencies run: npm ci - name: Download all artifacts @@ -158,10 +161,4 @@ jobs: run: ls -R ./npm shell: bash - name: Publish - run: | - npm config set provenance true - echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc - npm publish --access public - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --access public diff --git a/README.md b/README.md index 4108fa3f..68fffc9c 100644 --- a/README.md +++ b/README.md @@ -38,4 +38,4 @@ Following ["Publish It" section from `napi-rs` docs](https://napi.rs/docs/introd 2. `npm version [major|minor|patch]` 3. Send that as a Pull Request to GitHub. Ensure that the commit message consisting **only** of `x.y.z` - this is how the CI decides to publish to `npm`! -`NPM_TOKEN` is part of the repo secrets, generated [like this](https://httptoolkit.com/blog/automatic-npm-publish-gha/). +Configure npm trusted publishing for `replit/ruspty` with the workflow filename `CI.yml` before merging a version bump PR. The publish job now uses GitHub OIDC, so `NPM_TOKEN` is no longer required.