feat(ci): use trusted publishers for NPM publishing (#14874)

* feat(ci): use trusted publishers for NPM publishing * bump npm version * update npm * use empty NODE_AUTH_TOKEN * entire workflow permissions
2026-02-06 07:56:54 +00:00 · 2026-02-02 16:09:01 -03:00 · 2026-02-02 16:09:01 -03:00 · cd68b03ee5
commit cd68b03ee5
parent 8d67af37b6
2 changed files with 10 additions and 13 deletions
--- a/.github/workflows/covector-version-or-publish.yml
+++ b/.github/workflows/covector-version-or-publish.yml
@ -61,7 +61,7 @@ jobs:
      actions: write # required for workflow_dispatch
      contents: write # required to create new releases
      pull-requests: write # required to open version update pr
-      id-token: write # pnpm provenance
+      id-token: write # pnpm provenance / oidc token
    outputs:
      change: ${{ steps.covector.outputs.change }}
      commandRan: ${{ steps.covector.outputs.commandRan }}
@ -74,10 +74,9 @@ jobs:
        with:
          fetch-depth: 0
      - run: npm i -g --force corepack
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
        with:
-          node-version: 20
-          registry-url: 'https://registry.npmjs.org'
+          node-version: 24

      - name: cargo login
        run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }}
@ -95,7 +94,6 @@ jobs:
        uses: jbolda/covector/packages/action@covector-v0
        id: covector
        env:
-          NODE_AUTH_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
          CARGO_AUDIT_OPTIONS: ${{ secrets.CARGO_AUDIT_OPTIONS }}
          NPM_CONFIG_PROVENANCE: true
        with:
--- a/.github/workflows/publish-cli-js.yml
+++ b/.github/workflows/publish-cli-js.yml
@ -20,6 +20,10 @@ defaults:
  run:
    working-directory: packages/cli/

+permissions:
+  contents: write # update release
+  id-token: write # oidc token
+
 jobs:
  build:
    strategy:
@ -366,16 +370,13 @@ jobs:
      - test-linux-x64-gnu-binding
      - test-linux-x64-musl-binding
      #- test-linux-arm-bindings
-    permissions:
-      contents: write # update release
-      id-token: write # npm provenance
    steps:
      - uses: actions/checkout@v4
      - run: npm i -g --force corepack
      - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
-          node-version: 20
+          node-version: 24
          cache: 'pnpm'
      - name: Install dependencies
        run: pnpm i --frozen-lockfile --ignore-scripts
@ -390,10 +391,8 @@ jobs:
        shell: bash
      - name: Publish
        run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
          npm publish
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.ORG_NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ''
          RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }}
-          NPM_CONFIG_PROVENANCE: true