From cce62953655e19580b30e6c95812f8c09625e986 Mon Sep 17 00:00:00 2001 From: Bill Freeman Date: Sun, 5 Jul 2026 12:46:07 -0500 Subject: [PATCH] ci: publish to npm via OIDC trusted publishing (no token) The @pureskillgg npm org enforces 2FA on writes at a tier that rejects token bypass (NPM_TOKEN -> EOTP in CI). Switch the npmjs job to OIDC trusted publishing: workflow permissions id-token: write, upgrade npm to >=11.5, drop NODE_AUTH_TOKEN from the npm job (OIDC handles auth + provenance), add workflow_dispatch. Proven on mw-phi. GitHub Packages + gh-pages jobs unchanged. Requires a one-time Trusted Publisher on the npmjs package. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 47c0aeb..030d7c1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,12 @@ on: push: tags: - v* + workflow_dispatch: + +permissions: + contents: read + id-token: write + packages: write jobs: npm: @@ -18,6 +24,8 @@ jobs: with: node-version: '22' registry-url: https://registry.npmjs.org + - name: Update npm for OIDC trusted publishing + run: npm install -g npm@latest - name: Check version id: version shell: bash @@ -33,8 +41,6 @@ jobs: - name: Publish ${{ steps.version.outputs.name }}@${{ steps.version.outputs.current }} if: ${{ steps.version.outputs.published != steps.version.outputs.current }} run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} github: runs-on: ubuntu-latest timeout-minutes: 30