ci: enable npm trusted publishing (OIDC)#154
Conversation
- Add id-token: write permission so GitHub mints an OIDC token - Upgrade npm to >= 11.5.1 (required for trusted publishing) - Remove NPM_TOKEN so the OIDC exchange is used instead of legacy token - Bump actions/checkout to v4 and run it before setup-node
Code Review by Qodo
1.
|
PR Summary by Qodoci: enable npm trusted publishing via OIDC Description
Diagram
High-Level Assessment
Files changed (1)
|
cypress-plugin-api
|
||||||||||||||||||||||||||||
| Project |
cypress-plugin-api
|
| Branch Review |
ci/npm-trusted-publishing
|
| Run status |
|
| Run duration | 01m 12s |
| Commit |
|
| Committer | Filip Hric |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
|
|
0
|
|
|
0
|
|
|
0
|
|
|
0
|
|
|
91
|
| View all changes introduced in this branch ↗︎ | |
Code Review by Qodo
|
What
Configures
.github/workflows/tests.ymlto publish to npm via trusted publishing (OIDC) instead of a long-livedNPM_TOKEN.Changes
id-token: writepermission — required so GitHub mints the OIDC token npm exchanges for short-lived credentials. Also addedcontents: writefor semantic-release's tags/GitHub release.npm@latest— trusted publishing requires npm ≥ 11.5.1; Node 22.14.0 ships 11.2.0.NPM_TOKEN— with a token present npm prefers it and skips OIDC.GITHUB_TOKENis kept for the GitHub release/changelog.actions/checkoutto v4 and run it beforesetup-node.@semantic-release/npm@^13.1.1andsemantic-release@^25.0.2already support OIDC, so no dependency changes are needed.Follow-ups (outside this PR)
NPM_TOKENrepo secret.filiphric/cypress-plugin-apiand workflow filetests.yml— a mismatch causes the OIDC exchange to be rejected.Side benefit: npm provenance is now generated automatically.