Skip to content

chore(ci): Migrate release workflow to npm Trusted Publishing with OIDC #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
airtonix merged 4 commits into from
Nov 21, 2025
Merged

chore(ci): Migrate release workflow to npm Trusted Publishing with OIDC #38

airtonix merged 4 commits into from
Nov 21, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 21, 2025
edited
Loading

Remove NPM_AUTH_TOKEN secret dependency by adopting npm's Trusted Publishing mechanism using GitHub Actions OIDC authentication.

Changes

  • Removed NPM_AUTH_TOKEN environment variable from both publish steps (TAG=latest and TAG=next)
  • Workflow already has required id-token: write and contents: write permissions for OIDC

The yarn npm publish command now authenticates via OIDC token automatically, eliminating the need for storing npm credentials as secrets.

Original prompt

Revise the release workflow to support npm Trusted Publishing using GitHub Actions OIDC authentication. Remove all references to the NPM_AUTH_TOKEN secret in the publish steps under the Deploy job, as this token is no longer needed when using npm's trusted publishing mechanism. Ensure that permissions include 'contents: write' and 'id-token: write', and that 'mise run publish' works without explicitly setting an npm authentication environment variable. The updated workflow is as follows:

name: Release

on:
push:
branches:
- master

env:
HUSKY: 0 # https://typicode.github.io/husky/how-to.html#ci-server-and-docker

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}

Needed for nx-set-shas within nx-cloud-main.yml, when run on the master branch

permissions:
actions: read
contents: write
deployments: write
pull-requests: write
id-token: write

jobs:
Process:
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release-please.outputs.releases_created }}
prs_created: ${{ steps.release-please.outputs.prs_created }}
steps:
- uses: google-github-actions/release-please-action@v4
id: release-please
with:
token: ${{secrets.RELEASE_PLEASE_TOKEN}}
- name: Print Release Data
run: |
echo 'Release Data:'

      echo '''
        ${{ toJSON(steps.release-please.outputs) }}
      '''

Deploy:
needs: Process
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

  - name: Setup Tooling
    uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd
    with:
      install: true
      cache: true
      experimental: true

  - name: Yarn
    uses: ./.github/actions/setup-yarn

  - name: Preflight
    run: |
      mise run lint
      mise run types
      mise run unittest
      mise run build
      mise run integrationtest

  - if: ${{ needs.Process.outputs.releases_created == 'true' }}
    run: mise run publish TAG=latest

  - if: ${{ needs.Process.outputs.prs_created == 'true' }}
    run: mise run publish TAG=next

This pull request was created as a result of the following prompt from Copilot chat.

Revise the release workflow to support npm Trusted Publishing using GitHub Actions OIDC authentication. Remove all references to the NPM_AUTH_TOKEN secret in the publish steps under the Deploy job, as this token is no longer needed when using npm's trusted publishing mechanism. Ensure that permissions include 'contents: write' and 'id-token: write', and that 'mise run publish' works without explicitly setting an npm authentication environment variable. The updated workflow is as follows:

name: Release

on:
push:
branches:
- master

env:
HUSKY: 0 # https://typicode.github.io/husky/how-to.html#ci-server-and-docker

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}

Needed for nx-set-shas within nx-cloud-main.yml, when run on the master branch

permissions:
actions: read
contents: write
deployments: write
pull-requests: write
id-token: write

jobs:
Process:
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release-please.outputs.releases_created }}
prs_created: ${{ steps.release-please.outputs.prs_created }}
steps:
- uses: google-github-actions/release-please-action@v4
id: release-please
with:
token: ${{secrets.RELEASE_PLEASE_TOKEN}}
- name: Print Release Data
run: |
echo 'Release Data:'

      echo '''
        ${{ toJSON(steps.release-please.outputs) }}
      '''

Deploy:
needs: Process
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

  - name: Setup Tooling
    uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd
    with:
      install: true
      cache: true
      experimental: true

  - name: Yarn
    uses: ./.github/actions/setup-yarn

  - name: Preflight
    run: |
      mise run lint
      mise run types
      mise run unittest
      mise run build
      mise run integrationtest

  - if: ${{ needs.Process.outputs.releases_created == 'true' }}
    run: mise run publish TAG=latest

  - if: ${{ needs.Process.outputs.prs_created == 'true' }}
    run: mise run publish TAG=next

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Revise release workflow for npm trusted publishing Migrate release workflow to npm Trusted Publishing with OIDC Nov 21, 2025
Copilot AI requested a review from airtonix November 21, 2025 11:04
@airtonix airtonix changed the title Migrate release workflow to npm Trusted Publishing with OIDC chore(ci): Migrate release workflow to npm Trusted Publishing with OIDC Nov 21, 2025
@airtonix airtonix marked this pull request as ready for review November 21, 2025 11:08
@airtonix
Copy link
Contributor

airtonix commented Nov 21, 2025

involved making sure yarn was upgraded.

yarnpkg/berry#6898

@airtonix airtonix merged commit 0b7b599 into master Nov 21, 2025
3 checks passed
@airtonix airtonix deleted the copilot/revise-release-workflow-npm branch November 21, 2025 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@airtonix airtonix Awaiting requested review from airtonix

Assignees

@airtonix airtonix

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@airtonix