Skip to content

Refactor: extract npm publish into a dedicated reusable workflow with trusted publishing#3439

Merged
maxkfranz merged 3 commits intounstablefrom
copilot/refactor-github-actions-release-workflow
Apr 10, 2026
Merged

Refactor: extract npm publish into a dedicated reusable workflow with trusted publishing#3439
maxkfranz merged 3 commits intounstablefrom
copilot/refactor-github-actions-release-workflow

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 7, 2026
edited
Loading

The inline npm publish step in feature-release.yml and patch-release.yml used a long-lived NPM_TOKEN secret, which is no longer viable. This refactors it into a dedicated reusable workflow using npm trusted publishing (OIDC/provenance) instead.

Changes

  • New .github/workflows/npm-publish.yml — reusable workflow (on: workflow_call) that:

    • Checks out master
    • Runs npm publish --provenance (no NODE_AUTH_TOKEN / NPM_TOKEN)
    • Declares permissions: { contents: read, id-token: write } for OIDC-based auth

  • .github/workflows/feature-release.yml

    • Removes the Publish Package To npmjs step and its NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} env var
    • Adds an npm_publish job that fires after feature-release completes, calling the reusable workflow:
npm_publish:
  needs: feature-release
  permissions:
    contents: read
    id-token: write
  uses: ./.github/workflows/npm-publish.yml
  • .github/workflows/patch-release.yml
    • Removes the Publish Package To npmjs step and its NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} env var
    • Adds an npm_publish job that fires after patch-release completes, calling the same reusable workflow:
npm_publish:
  needs: patch-release
  permissions:
    contents: read
    id-token: write
  uses: ./.github/workflows/npm-publish.yml

Required follow-up

Register npm-publish.yml as the trusted publisher workflow for the cytoscape package on npmjs.com to complete the OIDC trust setup.

Original prompt

Refactor the GitHub Actions release workflow in repository cytoscape/cytoscape.js so that the npm publish logic is moved out of .github/workflows/feature-release.yml into its own dedicated reusable workflow file under .github/workflows/.

Context:

  • The current workflow file is .github/workflows/feature-release.yml on branch unstable.
  • The current workflow includes a step named Publish Package To npmjs that runs npm publish using NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}.
  • We want minimal changes/effort while making the npm publish portion exist in its own YAML file.
  • The publish should happen from master after the existing merge/release preparation completes.
  • Remove use of NPM_TOKEN from the refactor.
  • The user explicitly chose: reusable workflow called from feature-release.yml, publish from master, remove NPM_TOKEN.

Requirements:

  1. Create a new reusable workflow file for npm publish, e.g. .github/workflows/npm-publish.yml (exact filename can be chosen if a better repository-consistent name exists).
  2. Update .github/workflows/feature-release.yml to call the reusable workflow as a separate job after the existing release-preparation job succeeds.
  3. Ensure the reusable workflow checks out master before publishing.
  4. Configure the reusable workflow for GitHub/npm trusted publishing rather than token-based npm auth:
    • no NODE_AUTH_TOKEN
    • no NPM_TOKEN
    • include any required workflow/job permissions such as id-token: write and contents: read if needed.
    • use the appropriate npm publish invocation for trusted publishing/provenance if appropriate.
  5. Preserve the rest of the release flow as much as possible, minimizing unrelated changes.
  6. Make sure any data needed by downstream release steps is still available after removing the inline publish step. If VERSION or other values need to be shared between jobs/workflows, implement a minimal robust mechanism.
  7. Keep the resulting workflows valid GitHub Actions YAML.

Please inspect the repository as needed to make the refactor correct and minimal. Then create a pull request with the changes.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Could this step be separated into another yaml file and "called" from this yaml file somehow? I want to use the trusted publishing from npm with github actions and there needs to be just one yaml file with the npm publish part

Assistant: Yes — you can separate the npm publish logic into another YAML file and call it from the main workflow by using a reusable workflow (workflow_call). That’s the GitHub Actions feature designed for exactly this kind of sharing. Publishing Node.js packages

For your case, that means you can keep your existing feature-release.yml for release orchestration, and move the npm publish job into a single dedicated workflow file such as .github/workflows/npm-publish.yml. Then feature-release.yml can call that reusable workflow. This is the cleanest way to keep one canonical npm publishing workflow while still triggering it from another workflow. Publishing Node.js packages

A few important caveats:

  1. Reusable workflows are called at the job level, not step level.
    So if by “this step” you literally mean one steps: entry, you can’t uses: another YAML file from inside steps: unless it’s a composite action. If you want another workflow YAML to be called, you must move that logic into its own job/workflow and call it with uses: ./.github/workflows/npm-publish.yml. Publishing Node.js packages

  2. For npm publishing with provenance / trusted publishing, GitHub’s Node publishing example requires at least:

  3. GitHub’s publishing example for npm still shows NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} along with npm publish --provenance. If you are specifically switching to npm trusted publishing to avoid long-lived npm tokens, you’ll want the publish workflow to be the only place where the npm publish happens, and then configure npm trusted publishing on the npm side to trust that GitHub Actions workflow identity. The GitHub docs confirm the id-token: write requirement for provenance-related publishing. Publishing Node.js packages

A typical structure would look like this:

feature-release.yml

n...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

@maxkfranz
Copy link
Copy Markdown
Member

maxkfranz commented Apr 7, 2026

@chrtannus @mikekucera

Copilot AI changed the title [WIP] Refactor GitHub Actions to create reusable npm publish workflow Refactor: extract npm publish into a dedicated reusable workflow with trusted publishing Apr 7, 2026
Copilot AI requested a review from maxkfranz April 7, 2026 16:31
@maxkfranz
Copy link
Copy Markdown
Member

maxkfranz commented Apr 7, 2026

@copilot also handle the same on the patch release yaml

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 7, 2026

@copilot also handle the same on the patch release yaml

Done in e69fab9 — removed the inline Publish Package To npmjs step (and NODE_AUTH_TOKEN/NPM_TOKEN) from patch-release.yml and added the same npm_publish job calling ./.github/workflows/npm-publish.yml after patch-release completes.

@maxkfranz maxkfranz marked this pull request as ready for review April 10, 2026 17:17
@maxkfranz maxkfranz merged commit 2c41346 into unstable Apr 10, 2026
2 checks passed
maxkfranz added a commit that referenced this pull request Apr 10, 2026
@maxkfranz
Merge pull request #3439 from cytoscape/copilot/refactor-github-actio…
16524bc 
…ns-release-workflow

Refactor: extract npm publish into a dedicated reusable workflow with trusted publishing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxkfranz maxkfranz Awaiting requested review from maxkfranz

Assignees

@maxkfranz maxkfranz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maxkfranz