From 1610f2e5aa533ec14505ebae5ba93d685c8e3181 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elberte=20Pl=C3=ADnio?= Date: Thu, 9 Jul 2026 21:51:44 -0300 Subject: [PATCH] ci: publish to npm via trusted publishing (OIDC) Replace NPM_TOKEN auth with OIDC trusted publishing so publish tokens never expire again. Bump the release job to Node 24 for npm >= 11.5.1 and enable provenance attestation. Refs pickforge/pickforge-platform#23 --- .github/workflows/release.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b91c99b..7d704ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,7 @@ concurrency: permissions: contents: write + id-token: write jobs: release: @@ -20,8 +21,7 @@ jobs: - uses: actions/setup-node@v4 with: - node-version: "20" - registry-url: "https://registry.npmjs.org" + node-version: "24" - uses: oven-sh/setup-bun@v2 with: @@ -66,9 +66,7 @@ jobs: - name: Publish @pickforge/picklab if: startsWith(github.ref, 'refs/tags/v') working-directory: packages/cli - run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --access public --provenance - name: Create GitHub release if: startsWith(github.ref, 'refs/tags/v')