Skip to content

fix: configure npm trusted publishing for semantic-release #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 23, 2025
Merged

fix: configure npm trusted publishing for semantic-release #3

merged 2 commits into from
Sep 23, 2025

Conversation

sjungling
Copy link
Member

Summary

  • Fixes the publish workflow failure by configuring npm trusted publishing with OIDC
  • Replaces legacy npm token authentication with secure OIDC-based trusted publishing
  • Adds comprehensive documentation explaining the trusted publishing setup

Changes

Workflow Updates (.github/workflows/publish.yaml)

  • ✅ Added contents: write permission for creating releases and pushing tags
  • ✅ Added registry-url configuration for npm registry setup
  • ✅ Added NPM_CONFIG_PROVENANCE: true to enable provenance generation
  • ✅ Added detailed comments explaining trusted publishing configuration

Semantic Release Updates (.releaserc.yaml)

  • ✅ Added npmPublish: true to explicitly enable npm publishing
  • ✅ Added provenance: true to enable npm provenance for trusted publishing

Benefits

  • Enhanced Security: Uses OIDC tokens instead of long-lived npm tokens
  • Provenance: Generates cryptographic attestations linking packages to source code
  • No Secrets Required: Eliminates need for NPM_TOKEN secret management

References

Test plan

  • Configure npm package for trusted publishing at npmjs.com
  • Add GitHub repository as trusted publisher in npm package settings
  • Merge this PR
  • Verify workflow runs successfully and publishes with provenance

🤖 Generated with Claude Code

@sjungling @claude
docs: add trusted publishing documentation to workflow
b198026 
- Add comprehensive comments explaining npm trusted publishing setup
- Include references to npm and semantic-release documentation
- Document OIDC requirements and provenance generation
- Clarify the security benefits of trusted publishing over token-based auth

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@sjungling @claude
fix: implement hybrid approach for npm trusted publishing
2f154a2 
- Remove @semantic-release/npm plugin to avoid NPM_TOKEN requirement
- Add manual npm publish step with --provenance flag for trusted publishing
- Keep semantic-release for versioning, changelog, git tags, and GitHub releases
- Use npm pack to create tarball for GitHub release assets
- Maintains all automation while enabling OIDC-based npm authentication

This approach leverages npm's native trusted publishing support while
preserving semantic-release's version management and release automation.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@sjungling sjungling merged commit 2db52a7 into main Sep 23, 2025
1 of 2 checks passed
@sjungling sjungling deleted the fix/npm-trusted-publishing branch September 23, 2025 23:36
github-actions bot pushed a commit that referenced this pull request Sep 23, 2025
@semantic-release-bot
chore(release): 4.1.0 [skip ci]
2923f61 
# [4.1.0](v4.0.0...v4.1.0) (2025-09-23)

### Bug Fixes

* add contents write permission to publish workflow ([#2](#2)) ([c9183f6](c9183f6))
* configure npm trusted publishing for semantic-release ([#3](#3)) ([2db52a7](2db52a7))

### Features

* configure npm trusted publishing support ([a33b2e7](a33b2e7))
@sjungling sjungling restored the fix/npm-trusted-publishing branch September 23, 2025 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@natedanner natedanner natedanner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sjungling @natedanner