diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index acaefbc..3468e61 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write issues: write pull-requests: write @@ -35,6 +36,16 @@ jobs: - name: Install dependencies run: pnpm install --frozen-lockfile + - name: Verify npm trusted publishing auth + run: | + if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then + exit 0 + fi + + echo "Missing GitHub Actions OIDC token for npm trusted publishing." + echo "Ensure this workflow keeps the id-token: write permission." + exit 1 + - name: Typecheck Svelte package run: pnpm --filter tech-radar-editor check @@ -44,5 +55,4 @@ jobs: - name: Publish packages env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} run: pnpm release diff --git a/README.md b/README.md index cc5f323..6fc2336 100644 --- a/README.md +++ b/README.md @@ -161,12 +161,16 @@ Releases are now automated with GitHub Actions and `semantic-release`. - `fix:` triggers a patch release, `feat:` triggers a minor release, and `BREAKING CHANGE:` or `!` triggers a major release. - Only packages with changes since their last tag are published, so the three packages version independently. -The release workflow expects an `NPM_TOKEN` repository secret with publish access to: +The release workflow uses npm trusted publishing from GitHub Actions for: - `tech-radar-editor` - `tech-radar-editor-backend` - `tech-radar-editor-backstage` +Each package must be configured in npm to trust releases from this GitHub repository's `main` branch workflow. + +The release job requires the GitHub Actions `id-token: write` permission so npm can validate the OIDC identity issued for this repository. + To preview what the release job would do locally after installing dependencies: ```bash