From fb20a7e675626055d2d50420f10d2f49b9dafdd0 Mon Sep 17 00:00:00 2001 From: Fern Support <126544928+fern-support@users.noreply.github.com> Date: Thu, 30 Oct 2025 16:52:42 -0400 Subject: [PATCH] chore: update npm publishing to use OIDC authentication This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices. Changes: - Added 'permissions: id-token: write' to publish job for OIDC authentication - Removed NPM_TOKEN from environment variables in publish job - Removed 'npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}' command - Added publish() helper function that wraps 'npx -y npm@latest publish "$@"' - Replaced direct 'npm publish' commands with 'publish' function calls --- .github/workflows/ci.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6ea5cc..3e1baab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,8 @@ jobs: needs: [ compile, test ] if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest + permissions: + id-token: write # Required for OIDC steps: - name: Checkout repo uses: actions/checkout@v3 @@ -47,13 +49,13 @@ jobs: - name: Publish to npm run: | - npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN} + publish() { # use latest npm to ensure OIDC support + npx -y npm@latest publish "$@" + } if [[ ${GITHUB_REF} == *alpha* ]]; then - npm publish --access public --tag alpha + publish --access public --tag alpha elif [[ ${GITHUB_REF} == *beta* ]]; then - npm publish --access public --tag beta + publish --access public --tag beta else - npm publish --access public - fi - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + publish --access public + fi \ No newline at end of file