From f3b8bebfc4d94e77c9cf702beb2eeb3e6f6fdc53 Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Mon, 2 Feb 2026 10:30:18 -0300 Subject: [PATCH 1/5] feat(ci): use trusted publishers for NPM publishing --- .github/workflows/covector-version-or-publish.yml | 3 +-- .github/workflows/publish-cli-js.yml | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml index 83ff2ddac66d..19b80b995341 100644 --- a/.github/workflows/covector-version-or-publish.yml +++ b/.github/workflows/covector-version-or-publish.yml @@ -61,7 +61,7 @@ jobs: actions: write # required for workflow_dispatch contents: write # required to create new releases pull-requests: write # required to open version update pr - id-token: write # pnpm provenance + id-token: write # pnpm provenance / oidc token outputs: change: ${{ steps.covector.outputs.change }} commandRan: ${{ steps.covector.outputs.commandRan }} @@ -95,7 +95,6 @@ jobs: uses: jbolda/covector/packages/action@covector-v0 id: covector env: - NODE_AUTH_TOKEN: ${{ secrets.ORG_NPM_TOKEN }} CARGO_AUDIT_OPTIONS: ${{ secrets.CARGO_AUDIT_OPTIONS }} NPM_CONFIG_PROVENANCE: true with: diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml index 3d18f3114bc3..ed4e7e4d8d07 100644 --- a/.github/workflows/publish-cli-js.yml +++ b/.github/workflows/publish-cli-js.yml @@ -368,7 +368,7 @@ jobs: #- test-linux-arm-bindings permissions: contents: write # update release - id-token: write # npm provenance + id-token: write # npm provenance / oidc token steps: - uses: actions/checkout@v4 - run: npm i -g --force corepack @@ -390,10 +390,8 @@ jobs: shell: bash - name: Publish run: | - echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc npm publish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.ORG_NPM_TOKEN }} RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }} NPM_CONFIG_PROVENANCE: true From 4896a4f6e355b689495bdbc2964f31ee9ef6f32e Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Mon, 2 Feb 2026 11:00:00 -0300 Subject: [PATCH 2/5] bump npm version --- .github/workflows/covector-version-or-publish.yml | 2 +- .github/workflows/publish-cli-js.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml index 19b80b995341..fd6f7f50569d 100644 --- a/.github/workflows/covector-version-or-publish.yml +++ b/.github/workflows/covector-version-or-publish.yml @@ -76,7 +76,7 @@ jobs: - run: npm i -g --force corepack - uses: actions/setup-node@v4 with: - node-version: 20 + node-version: 24 registry-url: 'https://registry.npmjs.org' - name: cargo login diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml index ed4e7e4d8d07..7ccd24c59cfe 100644 --- a/.github/workflows/publish-cli-js.yml +++ b/.github/workflows/publish-cli-js.yml @@ -375,7 +375,8 @@ jobs: - name: Setup node uses: actions/setup-node@v4 with: - node-version: 20 + node-version: 24 + registry-url: 'https://registry.npmjs.org' cache: 'pnpm' - name: Install dependencies run: pnpm i --frozen-lockfile --ignore-scripts From 1d6e6ec0917de329a48d4e4c9a612ea83849ff28 Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Mon, 2 Feb 2026 12:04:28 -0300 Subject: [PATCH 3/5] update npm --- .github/workflows/covector-version-or-publish.yml | 5 +++-- .github/workflows/publish-cli-js.yml | 7 +++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml index fd6f7f50569d..f48d8adc3979 100644 --- a/.github/workflows/covector-version-or-publish.yml +++ b/.github/workflows/covector-version-or-publish.yml @@ -74,10 +74,11 @@ jobs: with: fetch-depth: 0 - run: npm i -g --force corepack - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: 24 - registry-url: 'https://registry.npmjs.org' + - name: Update npm + run: npm install -g npm - name: cargo login run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }} diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml index 7ccd24c59cfe..c6d2bfcc8575 100644 --- a/.github/workflows/publish-cli-js.yml +++ b/.github/workflows/publish-cli-js.yml @@ -368,15 +368,14 @@ jobs: #- test-linux-arm-bindings permissions: contents: write # update release - id-token: write # npm provenance / oidc token + id-token: write # oidc token steps: - uses: actions/checkout@v4 - run: npm i -g --force corepack - name: Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 24 - registry-url: 'https://registry.npmjs.org' cache: 'pnpm' - name: Install dependencies run: pnpm i --frozen-lockfile --ignore-scripts @@ -391,8 +390,8 @@ jobs: shell: bash - name: Publish run: | + npm install -g npm npm publish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }} - NPM_CONFIG_PROVENANCE: true From e2a2720bbd0f41ce67aef7aeea0ba70c1e7fd867 Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Mon, 2 Feb 2026 12:56:46 -0300 Subject: [PATCH 4/5] use empty NODE_AUTH_TOKEN --- .github/workflows/covector-version-or-publish.yml | 2 -- .github/workflows/publish-cli-js.yml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml index f48d8adc3979..170bc3ef31b0 100644 --- a/.github/workflows/covector-version-or-publish.yml +++ b/.github/workflows/covector-version-or-publish.yml @@ -77,8 +77,6 @@ jobs: - uses: actions/setup-node@v6 with: node-version: 24 - - name: Update npm - run: npm install -g npm - name: cargo login run: cargo login ${{ secrets.ORG_CRATES_IO_TOKEN }} diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml index c6d2bfcc8575..4aa05069cf92 100644 --- a/.github/workflows/publish-cli-js.yml +++ b/.github/workflows/publish-cli-js.yml @@ -390,8 +390,8 @@ jobs: shell: bash - name: Publish run: | - npm install -g npm npm publish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: '' RELEASE_ID: ${{ github.event.client_payload.releaseId || inputs.releaseId }} From 4485811185b600415ea4db42544c996ce7f91ec0 Mon Sep 17 00:00:00 2001 From: Lucas Nogueira Date: Mon, 2 Feb 2026 15:18:56 -0300 Subject: [PATCH 5/5] entire workflow permissions --- .github/workflows/publish-cli-js.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-cli-js.yml b/.github/workflows/publish-cli-js.yml index 4aa05069cf92..3e4f76081c18 100644 --- a/.github/workflows/publish-cli-js.yml +++ b/.github/workflows/publish-cli-js.yml @@ -20,6 +20,10 @@ defaults: run: working-directory: packages/cli/ +permissions: + contents: write # update release + id-token: write # oidc token + jobs: build: strategy: @@ -366,9 +370,6 @@ jobs: - test-linux-x64-gnu-binding - test-linux-x64-musl-binding #- test-linux-arm-bindings - permissions: - contents: write # update release - id-token: write # oidc token steps: - uses: actions/checkout@v4 - run: npm i -g --force corepack