valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Use npm Trusted Publishers (OIDC) for automated publishing

Browse Source 
- Add id-token: write permission for OIDC authentication
- Add --provenance flag to npm publish for supply chain security
- Use NODE_AUTH_TOKEN environment variable (set by setup-node)
- Remove manual .npmrc token writing (handled by setup-node with OIDC)

This enables automated npm publishing without storing tokens as secrets.
Requires Trusted Publisher to be configured at:
https://www.npmjs.com/package/@valknarthing/llmx/access

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Sebastian Krüger
2025-11-13 12:10:09 +01:00
parent b47a4dc354
commit 00eed932c0
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/rust-release.yml vendored
View File

@@ -476,7 +476,7 @@ jobs:
tag: ${{ github.ref_name }}
config: .github/dotslash-config.json
# Publish to npm using authentication token
# Publish to npm using Trusted Publishers (OIDC)
publish-npm:
# Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
@@ -485,6 +485,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for OIDC authentication
steps:
- name: Setup Node.js
@@ -510,11 +511,8 @@ jobs:
env:
VERSION: ${{ needs.release.outputs.version }}
NPM_TAG: ${{ needs.release.outputs.npm_tag }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
# Write auth token to the .npmrc file that setup-node created
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ${NPM_CONFIG_USERCONFIG}
set -euo pipefail
tag_args=()
if [[ -n "${NPM_TAG}" ]]; then
@@ -526,7 +524,7 @@ jobs:
)
for tarball in "${tarballs[@]}"; do
npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" --access public "${tag_args[@]}"
npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" --provenance --access public "${tag_args[@]}"
done
update-branch: