From 5b1878d57dab362a372901fbd7a151d074c164dd Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 16 Oct 2025 16:26:18 +0200 Subject: [PATCH 01/12] refactor: introduced trusted publishing --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d5112428..9332a3884 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,9 @@ on: release: types: [published] +permissions: + id-token: write # Required for OIDC + jobs: init: uses: ./.github/workflows/00-init.yml From 3304ef2793a6a83c3779a4e23e8c2bfa9e3afeca Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 16 Oct 2025 16:27:17 +0200 Subject: [PATCH 02/12] Update publish-npm.sh --- .github/scripts/publish-npm.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh index 847ce0bd0..4876fe7cb 100644 --- a/.github/scripts/publish-npm.sh +++ b/.github/scripts/publish-npm.sh @@ -39,7 +39,6 @@ do echo "🔑 Authenticated with GITHUB" elif [[ $REGISTRY == 'NPM' ]]; then npm config set @db-ui:registry https://registry.npmjs.org/ - npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN" echo "🔑 Authenticated with NPM" else echo "Could not authenticate with $REGISTRY" From 90d96e44c12ef6c287cb8b75106ea917d763d2bf Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 16 Oct 2025 16:28:03 +0200 Subject: [PATCH 03/12] Update 03-publish-packages.yml --- .github/workflows/03-publish-packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml index 941cb8bc9..d913aefd1 100644 --- a/.github/workflows/03-publish-packages.yml +++ b/.github/workflows/03-publish-packages.yml @@ -48,7 +48,6 @@ jobs: PRE_RELEASE: ${{ inputs.preRelease }} VALID_SEMVER_VERSION: ${{ inputs.version }} GITHUB_COMMITISH: ${{ github.event.release.target_commitish }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} GPR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: ⬆ Upload Package Artifact db-ui-base From 5578bc49340dbabb0b981020911d5437b8cb0cf3 Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 23 Oct 2025 10:56:46 +0200 Subject: [PATCH 04/12] Update 03-publish-packages.yml --- .github/workflows/03-publish-packages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml index d913aefd1..ece8ced6f 100644 --- a/.github/workflows/03-publish-packages.yml +++ b/.github/workflows/03-publish-packages.yml @@ -26,6 +26,8 @@ jobs: runs-on: ubuntu-24.04 # Use Ubuntu 24.04 explicitly permissions: id-token: write # Required for OIDC + contents: read + packages: write steps: - name: ⬇ Checkout repo uses: actions/checkout@v4 From 87431b058195fe58533545986a38bf788f3ca240 Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 23 Oct 2025 10:58:39 +0200 Subject: [PATCH 05/12] Update 03-publish-packages.yml From 5eaffbf4d63cc0b90809a9301951cc51fc01fbfd Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 23 Oct 2025 14:58:43 +0200 Subject: [PATCH 06/12] Update 03-publish-packages.yml --- .github/workflows/03-publish-packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml index ece8ced6f..1ab234e48 100644 --- a/.github/workflows/03-publish-packages.yml +++ b/.github/workflows/03-publish-packages.yml @@ -27,7 +27,6 @@ jobs: permissions: id-token: write # Required for OIDC contents: read - packages: write steps: - name: ⬇ Checkout repo uses: actions/checkout@v4 From b083ea52f685c459fcea7cda07dc52cc7103c06f Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Thu, 23 Oct 2025 14:58:58 +0200 Subject: [PATCH 07/12] Add permissions for contents in release workflow --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9332a3884..94a420cb4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ on: permissions: id-token: write # Required for OIDC + contents: read jobs: init: From 8404f0ea3550145ef7039132bb6a61c1a9f1cd9f Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sat, 8 Nov 2025 21:42:21 +0100 Subject: [PATCH 08/12] Update permissions in release workflow Change permissions to allow write access for id-token. --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 94a420cb4..9332a3884 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,6 @@ on: permissions: id-token: write # Required for OIDC - contents: read jobs: init: From d5796ecfe8a4761010adf21efafb7b65cc2e6758 Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sat, 8 Nov 2025 21:42:28 +0100 Subject: [PATCH 09/12] Update 03-publish-packages.yml --- .github/workflows/03-publish-packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml index 1ab234e48..d913aefd1 100644 --- a/.github/workflows/03-publish-packages.yml +++ b/.github/workflows/03-publish-packages.yml @@ -26,7 +26,6 @@ jobs: runs-on: ubuntu-24.04 # Use Ubuntu 24.04 explicitly permissions: id-token: write # Required for OIDC - contents: read steps: - name: ⬇ Checkout repo uses: actions/checkout@v4 From fb67f6138942eec7cfa091461c97c62051138409 Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sat, 8 Nov 2025 21:53:01 +0100 Subject: [PATCH 10/12] Update .nvmrc --- .nvmrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nvmrc b/.nvmrc index 2bd5a0a98..a45fd52cc 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -22 +24 From 06a40d0c4ff63d1267cbb9aa3334c20342dfeadc Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sat, 8 Nov 2025 22:16:28 +0100 Subject: [PATCH 11/12] Update release.yml --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9332a3884..119bba98c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,9 +8,6 @@ on: release: types: [published] -permissions: - id-token: write # Required for OIDC - jobs: init: uses: ./.github/workflows/00-init.yml @@ -43,6 +40,8 @@ jobs: uses: ./.github/workflows/03-publish-packages.yml needs: [lint, build, get-publish-version] secrets: inherit + permissions: + id-token: write # Required for OIDC with: release: ${{ needs.get-publish-version.outputs.release }} preRelease: ${{ needs.get-publish-version.outputs.preRelease }} From bbbf9e6884bb5a82559ed5b839b2770f8164c92e Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sat, 8 Nov 2025 22:24:01 +0100 Subject: [PATCH 12/12] Remove provenance flag from npm publish command --- .github/scripts/publish-npm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh index 4876fe7cb..c43d7de7e 100644 --- a/.github/scripts/publish-npm.sh +++ b/.github/scripts/publish-npm.sh @@ -45,5 +45,5 @@ do exit 1 fi # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow - npm publish --tag "$TAG" db-ui-base-"$VALID_SEMVER_VERSION".tgz --provenance + npm publish --tag "$TAG" db-ui-base-"$VALID_SEMVER_VERSION".tgz done