Skip to content

Switch to trusted publishing #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eps1lon merged 1 commit into from
Nov 27, 2025
Merged

Switch to trusted publishing #492

eps1lon merged 1 commit into from
Nov 27, 2025

Conversation

@eps1lon
Copy link
Owner

@eps1lon eps1lon commented Nov 27, 2025

@changeset-bot
Copy link

changeset-bot bot commented Nov 27, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 5901c36

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
types-react-codemod Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@eps1lon eps1lon requested a review from Copilot November 27, 2025 13:28
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the npm publishing workflow by switching from token-based authentication to OIDC-based trusted publishing, following npm's trusted publishers documentation.

  • Adds OIDC configuration with id-token: write permission and production environment
  • Removes the deprecated NPM_AUTOMATION_TOKEN secret usage
  • Adds necessary permissions for changesets to manage releases (contents, pull-requests)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/release.yml Configures OIDC authentication by adding environment, permissions, and removing NPM_TOKEN secret
.changeset/light-mirrors-tickle.md Documents the switch to trusted publishing as a patch change

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
id: changesets
uses: changesets/action@v1
with:
publish: yarn release
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using npm trusted publishing with OIDC, the publish command should include the --provenance flag to generate attestations. Add publishArgs: '--provenance' to the changesets action configuration:

- name: Create Release Pull Request or Publish to npm
  id: changesets
  uses: changesets/action@v1
  with:
    publish: yarn release
    publishArgs: '--provenance'
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This ensures that npm packages are published with provenance attestations, which is a key benefit of trusted publishing.

Suggested change
publish: yarn release
publish: yarn release
publishArgs: '--provenance'

Copilot uses AI. Check for mistakes.
Copy link
Owner Author

@eps1lon eps1lon Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should no longer be needed.

@eps1lon eps1lon force-pushed the sebbie/11-27-switch_to_trusted_publishing branch from dce1abc to 5901c36 Compare November 27, 2025 13:36
@eps1lon eps1lon enabled auto-merge (squash) November 27, 2025 13:36
@eps1lon eps1lon merged commit 18d0cef into main Nov 27, 2025
3 checks passed
@eps1lon eps1lon deleted the sebbie/11-27-switch_to_trusted_publishing branch November 27, 2025 13:38
@github-actions github-actions bot mentioned this pull request Nov 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eps1lon