Skip to content

ci: switch npm publish to trusted publishing (OIDC) #695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nieblara merged 1 commit into from
Apr 17, 2026
Merged

ci: switch npm publish to trusted publishing (OIDC) #695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions .github/workflows/manual-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,10 @@ jobs:
runs-on: ubuntu-latest
if: ${{ inputs.dry-run-npm == false }}
needs: [release-ldcli]
# id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token
# that the npm registry trusts via the trusted publisher config. The npm
# trusted publisher must be configured with this workflow filename
# (manual-publish.yml) for publishes from this path to succeed.
permissions:
actions: read
id-token: write
Expand All @@ -92,15 +96,14 @@ jobs:
name: Checkout
with:
fetch-depth: 0
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 20.x
registry-url: 'https://registry.npmjs.org'
- uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1
name: 'Get NPM token'
with:
aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
- name: Update npm
shell: bash
# npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support.
run: npm install -g npm@11.6.2
- id: publish-npm
name: Publish NPM Package
uses: ./.github/actions/publish-npm
Expand Down
15 changes: 9 additions & 6 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,21 +107,24 @@ jobs:
release-ldcli-npm:
runs-on: ubuntu-latest
needs: [release-please, release-ldcli]
# id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token
# that the npm registry trusts via the trusted publisher config for this
# workflow. No static NPM token is needed (or wanted: if NODE_AUTH_TOKEN is
# set, npm prefers the token path and skips OIDC).
permissions:
id-token: write
contents: write
if: needs.release-please.outputs.release_created == 'true'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 20.x
registry-url: 'https://registry.npmjs.org'
- uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1
name: 'Get NPM token'
with:
aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
- name: Update npm
shell: bash
# npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support.
run: npm install -g npm@11.6.2
- id: publish-npm
name: Publish NPM Package
uses: ./.github/actions/publish-npm
Expand Down
Loading