From f0259f2c3f4cb69d3edb09bcb820edf8600df02a Mon Sep 17 00:00:00 2001 From: Hristo Terezov Date: Thu, 7 May 2026 18:33:19 -0500 Subject: [PATCH] ci(release): migrate publish to npm trusted publishing via OIDC The shared NPM_AUTH_TOKEN secret last rotated in 2022 has been auth-failing on every publish since 2025-11. As a result, versions 6.2.1, 6.2.2, 6.2.3, and 6.3.0 were bumped on master but never published to npm; the registry is stuck at 6.2.0. Rotating the classic token would put us back on the same time-bomb. Trusted Publishing replaces the long-lived secret with short-lived GitHub Actions OIDC tokens that npm exchanges for a publish credential at publish time. Nothing to rotate, nothing to leak, provenance attestations come for free. The single autopublish.yml is split into two workflows so only the publish step holds id-token: write -- narrowing the surface that could mint OIDC tokens if a workflow file or third-party action were compromised. bump.yml triggers on master push and pushes a version tag; publish.yml triggers on the tag push, runs npm test as a release gate, and publishes via OIDC. Note: requires the @jitsi/js-utils npm package to have a Trusted Publisher entry configured on npmjs.com pointing at this repo and publish.yml -- must be in place before merge. --- .../workflows/{autopublish.yml => bump.yml} | 17 +++---------- .github/workflows/publish.yml | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+), 13 deletions(-) rename .github/workflows/{autopublish.yml => bump.yml} (62%) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/autopublish.yml b/.github/workflows/bump.yml similarity index 62% rename from .github/workflows/autopublish.yml rename to .github/workflows/bump.yml index 1885010..a4f133f 100644 --- a/.github/workflows/autopublish.yml +++ b/.github/workflows/bump.yml @@ -1,4 +1,4 @@ -name: "AutoPublish" +name: "Bump version" on: push: @@ -6,8 +6,8 @@ on: - "master" jobs: - auto-publish: - name: "AutoPublish on master" + bump: + name: "Bump version on master" runs-on: ubuntu-latest if: "!startsWith(github.event.head_commit.message, 'chore: bump version to')" @@ -19,7 +19,7 @@ jobs: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: "Checkout source code" - uses: "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd" # v5 + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 with: token: ${{ steps.app-token.outputs.token }} - name: "Automated Release" @@ -28,12 +28,3 @@ jobs: commit-message: 'chore: bump version to {{version}}' env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 - with: - node-version: '18' - registry-url: 'https://registry.npmjs.org' - - name: "Install dependencies" - run: npm install - - run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..6fccbb0 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,25 @@ +name: "Publish to npm" + +on: + push: + tags: + - "*.*.*" + +jobs: + publish: + name: "Publish to npm" + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: '24' + registry-url: 'https://registry.npmjs.org' + package-manager-cache: false + - run: npm ci + - run: npm test + - run: npm publish --access public