feat: migrate to trusted publishing (#1680)

johnnyreilly · web-flow · commit 0cef777f72db · 2026-04-02T05:33:11.000+01:00
* feat: migrate to trusted publishing

* chore: comment unused token
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -48,14 +48,14 @@ jobs:
     name: Execution Tests Ubuntu
     strategy:
       matrix:
-        node: [20, 22]
-        ts: [5.0.4, 5.1.3, 5.2.2, 5.3.3, 5.4.2, 5.5.3, 5.6.2, 5.7.2, 5.8.2, 5.9.2, next]
+        node: [24, 22]
+        ts: [5.0.4, 5.1.3, 5.2.2, 5.3.3, 5.4.2, 5.5.3, 5.6.2, 5.7.2, 5.8.2, 5.9.2] # next excluded for now
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
       - name: install node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node }}
 
@@ -75,14 +75,14 @@ jobs:
     name: Execution Tests Windows
     strategy:
       matrix:
-        node: [20, 22]
-        ts: [5.0.4, 5.1.3, 5.2.2, 5.3.3, 5.4.2, 5.5.3, 5.6.2, 5.7.2, 5.8.2, 5.9.2, next]
+        node: [24, 22]
+        ts: [5.0.4, 5.1.3, 5.2.2, 5.3.3, 5.4.2, 5.5.3, 5.6.2, 5.7.2, 5.8.2, 5.9.2] # next excluded for now
     runs-on: windows-latest
     steps:
       - uses: actions/checkout@v3
 
       - name: install node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,16 +4,20 @@ on:
 
 name: release
 
+# Permission to generate an OIDC token for trusted publishing to npm
+permissions:
+  id-token: write
+
 jobs:
   build_test_and_publish:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
       - name: install node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 24
           registry-url: https://registry.npmjs.org/
 
       - name: install
@@ -25,6 +29,9 @@ jobs:
       - name: test
         run: yarn execution-tests
 
+      - run: npm install -g npm@latest
+
       - run: npm publish
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true
+          # NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN}} no longer needed with trusted publishing and OIDC token generation
diff --git a/package.json b/package.json
@@ -101,5 +101,8 @@
   "peerDependencies": {
     "typescript": "*",
     "webpack": "^5.0.0"
+  },
+  "publishConfig": {
+    "provenance": true
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -101,5 +101,8 @@`
`101`	`101`	`"peerDependencies": {`
`102`	`102`	`"typescript": "*",`
`103`	`103`	`"webpack": "^5.0.0"`
	`104`	`+ },`
	`105`	`+ "publishConfig": {`
	`106`	`+ "provenance": true`
`104`	`107`	`}`
`105`	`108`	`}`