refactor: introduce trusted publishing (#3161)

mfranzke · web-flow · commit 9291433db21c · 2025-11-09T01:06:05.000+01:00
* refactor: introduce trusted publishing

* Remove NPM_TOKEN from publish workflow

Removed NPM_TOKEN from the workflow for security reasons.

* Update .nvmrc

* Update publish-release.yml

* Update package.json

* Update publish-npm.sh
diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh
@@ -51,15 +51,14 @@ do
     echo "🔑 Authenticated with GITHUB"
   elif [[ $REGISTRY == 'NPM' ]]; then
     npm config set @db-ui:registry https://registry.npmjs.org/
-    npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
     echo "🔑 Authenticated with NPM"
   else
     echo "Could not authenticate with $REGISTRY"
     exit 1
   fi
   # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
-  npm publish --tag "$TAG" db-ui-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
-  npm publish --tag "$TAG" db-ui-ngx-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
-  npm publish --tag "$TAG" db-ui-react-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
-  npm publish --tag "$TAG" db-ui-v-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
+  npm publish --tag "$TAG" db-ui-ngx-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
+  npm publish --tag "$TAG" db-ui-react-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
+  npm publish --tag "$TAG" db-ui-v-elements"$PACKAGE_ENDING"-"$VALID_SEMVER_VERSION".tgz
 done
diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml
@@ -80,7 +80,6 @@ jobs:
           VALID_SEMVER_VERSION: ${{ inputs.version }}
           DBUI_THEME: ${{ matrix.themes }}
           PACKAGE_ENDING: ${{ steps.getPkgTheme.outputs.pkgTheme }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GPR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: ⬆ Upload Package Artifact elements-${{ matrix.themes }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -53,6 +53,8 @@ jobs:
     uses: ./.github/workflows/03-publish-packages.yml
     needs: [cypress, get-publish-version]
     secrets: inherit
+    permissions:
+      id-token: write  # Required for OIDC
     with:
       release: ${{ needs.get-publish-version.outputs.release }}
       preRelease: ${{ needs.get-publish-version.outputs.preRelease }}
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-22
+24
diff --git a/package.json b/package.json
@@ -74,7 +74,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "homepage": "https://db-ui.github.io/elements/",
-  "packageManager": "npm@10.9.2",
+  "packageManager": "npm@11.6.1",
   "optionalDependencies": {
     "sass-embedded-linux-x64": "1.93.3"
   }

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@`
`74`	`74`	`"registry": "https://registry.npmjs.org/"`
`75`	`75`	`},`
`76`	`76`	`"homepage": "https://db-ui.github.io/elements/",`
`77`		`- "packageManager": "npm@10.9.2",`
	`77`	`+ "packageManager": "npm@11.6.1",`
`78`	`78`	`"optionalDependencies": {`
`79`	`79`	`"sass-embedded-linux-x64": "1.93.3"`
`80`	`80`	`}`