Skip to content

chore(workflow): switch to npm trusted publishing; drop NPM_TOKEN env#149

Merged
blove merged 1 commit into
mainfrom
chore/switch-to-trusted-publishing
May 1, 2026
Merged

chore(workflow): switch to npm trusted publishing; drop NPM_TOKEN env#149
blove merged 1 commit into
mainfrom
chore/switch-to-trusted-publishing

Conversation

@blove
Copy link
Copy Markdown
Contributor

@blove blove commented May 1, 2026

Trusted publishing has been configured per-package on npm for all 7 `@ngaf/*` packages. The workflow can now authenticate via OIDC instead of a long-lived token.

Changes

  • Drop `NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` from both publish steps in `.github/workflows/publish.yml` (real publish + dry-run).
  • Update the `id-token: write` comment to reflect its new dual purpose (trusted publishing + provenance).
  • Add a brief comment block explaining the trusted-publishing handoff.

Verification path

After merge, the next workflow trigger will exercise OIDC end-to-end:

  • `workflow_dispatch` with `dry-run=true` from the Actions UI is the safest first run.
  • Or just wait for the next `v0.0.2` tag push from `nx release patch`.

If OIDC fails (e.g., trusted publisher not found), the workflow will error at the publish step. Re-add the token env block as a quick rollback if needed.

After two clean releases via trusted publishing

```
gh secret delete NPM_TOKEN
```

Then revoke the local `.env` token at https://www.npmjs.com/settings/blove/tokens.

🤖 Generated with Claude Code

@blove @claude
chore(workflow): switch to npm trusted publishing; drop NPM_TOKEN env
738fb48 
Trusted publishing has been configured per-package on npm (manual web
UI step, completed). The OIDC token from 'permissions.id-token: write'
authenticates this workflow as a trusted publisher for each @ngaf/*
package — no token needed in env.

After two consecutive successful trusted-publish releases, you can:
- gh secret delete NPM_TOKEN  (remove the unused secret from this repo)
- Revoke the local token via npm settings

Provenance attestations continue to be generated automatically via
NPM_CONFIG_PROVENANCE='true'.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cacheplane Ready Ready Preview, Comment May 1, 2026 0:56am
cacheplane-minting-service Error Error May 1, 2026 0:56am

Request Review

@blove blove merged commit ec131e5 into main May 1, 2026
14 of 15 checks passed
@blove blove deleted the chore/switch-to-trusted-publishing branch May 7, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blove