build(*): Enable trusted publishing

This commit is contained in:
Josh Creek
2026-03-05 21:55:51 +00:00
parent cd7ac1286c
commit d09561032b
2 changed files with 16 additions and 2 deletions
+11 -1
View File
@@ -14,6 +14,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
issues: write
pull-requests: write
@@ -35,6 +36,16 @@ jobs:
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Verify npm trusted publishing auth
run: |
if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
exit 0
fi
echo "Missing GitHub Actions OIDC token for npm trusted publishing."
echo "Ensure this workflow keeps the id-token: write permission."
exit 1
- name: Typecheck Svelte package
run: pnpm --filter tech-radar-editor check
@@ -44,5 +55,4 @@ jobs:
- name: Publish packages
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: pnpm release
+5 -1
View File
@@ -161,12 +161,16 @@ Releases are now automated with GitHub Actions and `semantic-release`.
- `fix:` triggers a patch release, `feat:` triggers a minor release, and `BREAKING CHANGE:` or `!` triggers a major release.
- Only packages with changes since their last tag are published, so the three packages version independently.
The release workflow expects an `NPM_TOKEN` repository secret with publish access to:
The release workflow uses npm trusted publishing from GitHub Actions for:
- `tech-radar-editor`
- `tech-radar-editor-backend`
- `tech-radar-editor-backstage`
Each package must be configured in npm to trust releases from this GitHub repository's `main` branch workflow.
The release job requires the GitHub Actions `id-token: write` permission so npm can validate the OIDC identity issued for this repository.
To preview what the release job would do locally after installing dependencies:
```bash