fix: configure npm trusted publishing for semantic-release (#3) #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - 3.x | |
| - 2.x | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # NPM Trusted Publishing Configuration | |
| # This workflow uses npm trusted publishing with OIDC tokens instead of long-lived npm tokens. | |
| # Trusted publishing provides enhanced security and generates cryptographic provenance attestations. | |
| # | |
| # References: | |
| # - NPM Trusted Publishing: https://docs.npmjs.com/trusted-publishers | |
| # - NPM Provenance: https://docs.npmjs.com/generating-provenance-statements | |
| # - semantic-release npm plugin: https://github.com/semantic-release/npm#provenance | |
| permissions: | |
| id-token: write # Required for OIDC trusted publishing | |
| contents: write # Required to create releases and push tags | |
| jobs: | |
| release: | |
| name: release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Use Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'yarn' | |
| # Configure npm registry for trusted publishing | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install Dependencies | |
| run: yarn --pure-lockfile | |
| - name: Build | |
| run: yarn build | |
| - name: Semantic Release | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| yarn release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HUSKY: 0 | |
| - name: Publish to npm with Trusted Publishing | |
| run: | | |
| # Create tarball for GitHub release assets | |
| cd dist | |
| npm pack | |
| # Publish to npm with provenance using trusted publishing | |
| npm publish --provenance --access public | |
| env: | |
| # Enable npm provenance for trusted publishing - generates cryptographic attestations | |
| # linking the published package to its source code and build environment | |
| NPM_CONFIG_PROVENANCE: true |