chore: migrate to npm trusted publishing and GitHub App token#186
chore: migrate to npm trusted publishing and GitHub App token#186dividedmind merged 1 commit intomainfrom
Conversation
dividedmind
commented
Feb 26, 2026
dividedmind
commented
- Replace PAT with GitHub App token (RELEASE_BOT_APP_ID/PRIVATE_KEY) in release job; app token events trigger other workflows unlike GITHUB_TOKEN
- Remove npm publish from semantic-release; add separate publish.yml workflow triggered on version tags using OIDC (no NPM_TOKEN needed)
- Drop id-token: write and write permissions from release job (governed by app installation, not workflow permissions block)
- Add windows-test to release job dependencies
- Remove @semantic-release/npm plugin from .releaserc.yaml
There was a problem hiding this comment.
Pull request overview
This PR modernizes the release and publishing workflow by migrating from Personal Access Token (PAT) authentication to GitHub App tokens, and separating npm publishing into a dedicated workflow using OIDC-based trusted publishing. The changes improve security by eliminating the need for a long-lived NPM_TOKEN secret and enable proper workflow triggering.
Changes:
- Replaced PAT-based authentication with GitHub App token (using RELEASE_BOT_APP_ID/PRIVATE_KEY) in the release job to enable workflow-triggering events
- Removed npm publishing from semantic-release configuration and created a separate publish.yml workflow that uses OIDC for trusted publishing
- Updated release job permissions and added windows-test as a dependency
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .releaserc.yaml | Removed @semantic-release/npm plugin to separate npm publishing from the release process |
| .github/workflows/publish.yml | New workflow that publishes to npm using OIDC trusted publishing when version tags are pushed |
| .github/workflows/ci.yml | Updated release job to use GitHub App token, removed npm-related configuration, added windows-test dependency, removed prepack step (no longer needed for semantic-release) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/setup-node@v4 | ||
| with: | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - run: yarn |
There was a problem hiding this comment.
The publish workflow is missing the build step before publishing. The package.json specifies that only the /dist directory should be published (line 14-16 in package.json), but /dist is gitignored and needs to be built from TypeScript sources using yarn prepack. Without running yarn prepack before npm publish, the package will be published without the compiled JavaScript files, causing the publish to fail or publish an incomplete package.
Add - run: yarn prepack after the - run: yarn step to compile TypeScript to the /dist directory before publishing.
| - run: yarn | |
| - run: yarn | |
| - run: yarn prepack |
| on: | ||
| push: | ||
| tags: | ||
| - 'v[0-9]*' |
There was a problem hiding this comment.
The tag trigger pattern 'v[0-9]' is too permissive and will match tags like 'v1', 'v12', etc., not just semantic version tags. Since the semantic-release configuration uses tagFormat 'v${version}' (line 2 of .releaserc.yaml) which produces tags like 'v1.2.3', consider using a more specific pattern like 'v[0-9]+.[0-9]+.[0-9]+' or 'v..' to ensure the publish workflow only triggers on valid semantic version tags.
| - 'v[0-9]*' | |
| - 'v*.*.*' |
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: |
There was a problem hiding this comment.
The publish workflow doesn't specify a Node.js version in the setup-node step, while the package.json requires "node": ">=18" (line 43 of package.json). Consider explicitly setting the node-version to ensure compatibility, for example:
- uses: actions/setup-node@v4
with:
node-version: '18'
registry-url: 'https://registry.npmjs.org'This ensures the build and publish happen with a supported Node.js version.
| with: | |
| with: | |
| node-version: '18' |
- Replace PAT with GitHub App token (RELEASE_BOT_APP_ID/PRIVATE_KEY) in release job; app token events trigger other workflows unlike GITHUB_TOKEN - Remove npm publish from semantic-release; add separate publish.yml workflow triggered on version tags using OIDC (no NPM_TOKEN needed) - Drop id-token: write and write permissions from release job (governed by app installation, not workflow permissions block) - Add windows-test to release job dependencies - Remove @semantic-release/npm plugin from .releaserc.yaml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dividedmind
force-pushed
the
chore/trusted-publishing
branch
from
85cb764 to
4439a6b
Compare
|
🎉 This PR is included in version 2.25.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.25.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
1 similar comment
|
🎉 This PR is included in version 2.25.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
