chore: upgrade CI to Node 24 and migrate npm publishing to OIDC#2978
chore: upgrade CI to Node 24 and migrate npm publishing to OIDC#2978BlobMaster41 wants to merge 1 commit intoAssemblyScript:mainfrom
Conversation
Upgraded various GitHub Actions to newer major versions in workflow files for improved reliability and features. Enhanced the publish workflow with changelog generation, improved release handling, and npm tag management. Added a CHANGELOG.md file for documenting project changes.
|
To implement OIDC, not much change should occur in this repo. I intend to implement this myself. |
Noted. Should I close this PR.? |
HerrCai0907
left a comment
HerrCai0907
left a comment
There was a problem hiding this comment.
Don't do auto format, it make file hard to review
There was a problem hiding this comment.
Just for people to see what changed.. The CI in this PR automatically modifies it from the PR merged. Can be removed if not required.
There was a problem hiding this comment.
For my understanding, the file will not be automatically update when PR merged, because there are no git push operation in action. could you explain more about how to automatically modify it
There was a problem hiding this comment.
For my understanding, the file will not be automatically update when PR merged, because there are no git push operation in action. could you explain more about how to automatically modify it
|
I would advise against messing with the npm publishing, because that's mostly Sidenote: if LLMs were used to generate the changes to CI, I would check over it. |
What are you talking about? aspublish was already in the original workflow, called via npx aspublish, I didn't introduce it. If you look at both the old and new versions, the pattern is the same: npx aspublish handles the main package, and npm publish --access public handles the sub-packages under lib/loader and lib/rtrace. That separation existed before my changes and still exists after them, there is no conflict. On the token side, npm classic tokens were permanently revoked on December 9, 2025. The old workflow depended on NPM_TOKEN: ${{ secrets.NPM_TOKEN }} which simply does not work anymore. The replacement is OIDC Trusted Publishing, where the CI provider authenticates directly via short-lived tokens instead of stored secrets. That is why the new workflow has id-token: write in the permissions block and no longer references NPM_TOKEN. This is the setup npm officially recommends now and needs to be configured on npmjs.com under the package's Trusted Publisher settings. The action version bumps (checkout v4 to v6, setup-node v4 to v6) are also just bringing things up to current releases. |
3 participants
Warning
This PR is required to comply with npm's new security standard. npm deprecated all classic tokens on December 9, 2025 and now mandates OIDC Trusted Publishing for CI/CD workflows.
This PR is required by #2976.
Changes proposed in this pull request:
⯈ Upgrade GitHub Actions to v6 and Node.js 24
actions/checkoutfrom v4 to v6actions/setup-nodefrom v4 to v6actions/github-scriptfrom v7 to v8 (uses Node 24 runtime)node-version: currentto target Node 24node-version: currentto the features job which was missing it⯈ Migrate npm publishing to OIDC Trusted Publishing
NPM_TOKENenvironment variableid-token: writepermission required for OIDCregistry-urlto setup-node for npm authentication⯈ Add prerelease support and GitHub Release automation
mikepenz/release-changelog-builder-action@v6Migration steps required before merging:
Configure Trusted Publisher on npmjs.com for each package:
AssemblyScript, Repositoryassemblyscript, Workflowpublish.yml@assemblyscript/loaderand@assemblyscript/rtraceRemove
NPM_TOKENfrom repository secretsNODE_AUTH_TOKENis set, npm will try to use the token instead of OIDC and fail.Verify runners have npm 11.5.1+
node-version: current.