From 7b091a43ecb9a6618b634ddd914d3499b945d10f Mon Sep 17 00:00:00 2001 From: Fern Support <126544928+fern-support@users.noreply.github.com> Date: Thu, 30 Oct 2025 15:47:15 -0400 Subject: [PATCH] chore: update npm publishing to use OIDC authentication This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices. Changes: - Added 'permissions: id-token: write' to publish job - Removed NPM_TOKEN from environment variables - Removed npm config set command that configured static token authentication - Updated npm publish commands to use npx -y npm@latest publish wrapped in a publish() function - Removed the env block containing NPM_TOKEN secret --- .github/workflows/ci.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bb43fde64..7e82eb70e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,6 +33,8 @@ jobs: needs: [ compile ] if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') runs-on: ubuntu-latest + permissions: + id-token: write # Required for OIDC steps: - name: Checkout repo uses: actions/checkout@v3 @@ -45,13 +47,13 @@ jobs: - name: Publish to npm run: | - npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN} + publish() { # use latest npm to ensure OIDC support + npx -y npm@latest publish "$@" + } if [[ ${GITHUB_REF} == *alpha* ]]; then - npm publish --access public --tag alpha + publish --access public --tag alpha elif [[ ${GITHUB_REF} == *beta* ]]; then - npm publish --access public --tag beta + publish --access public --tag beta else - npm publish --access public - fi - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + publish --access public + fi \ No newline at end of file