From 6f0e7307838a8adbc8587794084c5fe283c8827a Mon Sep 17 00:00:00 2001 From: Christopher Tso Date: Thu, 9 Apr 2026 05:57:25 +0000 Subject: [PATCH] ci: replace token-based npm publish with OIDC trusted publishing - Add publish.yml with publish-next and promote-latest actions using OIDC (id-token: write), no NPM_TOKEN needed - Simplify release.yml to version bump + GitHub release only, removing build/publish steps - Delete promote.yml (superseded by publish.yml) Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/promote.yml | 31 -------------------- .github/workflows/publish.yml | 54 +++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 11 ------- 3 files changed, 54 insertions(+), 42 deletions(-) delete mode 100644 .github/workflows/promote.yml create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml deleted file mode 100644 index c989e6ce1..000000000 --- a/.github/workflows/promote.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Promote to latest - -on: - workflow_dispatch: - inputs: - version: - description: "Version to promote (e.g. 2.18.0). Leave empty to use version from package.json." - required: false - type: string - -jobs: - promote: - name: Promote npm dist-tag to latest - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: ./.github/actions/setup-bun - - - name: Configure npm auth - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - - name: Promote to latest - run: | - if [ -n "${{ inputs.version }}" ]; then - bun run promote:latest "${{ inputs.version }}" - else - bun run promote:latest - fi diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 000000000..b8c285a85 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,54 @@ +name: Publish + +on: + workflow_dispatch: + inputs: + action: + description: "Action to perform" + required: true + type: choice + options: + - publish-next + - promote-latest + default: publish-next + version: + description: "Version to promote (promote-latest only; leave empty to use package.json version)" + required: false + type: string + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +permissions: + contents: read + id-token: write + +jobs: + publish: + name: ${{ inputs.action == 'promote-latest' && 'Promote to latest' || 'Publish to npm (next)' }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '24' + + - name: Upgrade npm + run: npm install -g npm@latest + + - uses: ./.github/actions/setup-bun + + - name: Publish to npm (next) + if: inputs.action == 'publish-next' + run: bun run publish:next + + - name: Promote to latest + if: inputs.action == 'promote-latest' + run: | + if [ -n "${{ inputs.version }}" ]; then + bun run promote:latest "${{ inputs.version }}" + else + bun run promote:latest + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9330f8684..d97b81785 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,17 +40,6 @@ jobs: - name: Bump version, commit, and tag run: bun run release ${{ inputs.bump }} - - name: Build - run: bun run build - - - name: Configure npm auth - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - - name: Publish to npm (next) - run: bun run publish:next - - name: Create GitHub Release run: | VERSION=$(node -p "require('./apps/cli/package.json').version")