Unverified Commit 8a40b0d9 authored by Hong Minhee's avatar Hong Minhee
Browse files

Use npm trusted publishing instead of auth tokens 

Remove manual NPM_AUTH_TOKEN configuration in favor of npm's trusted
publishing feature, which uses GitHub's OIDC provider for secure
authentication. This eliminates the need to manage npm access tokens
as GitHub Secrets while maintaining provenance support.
parent 95d53c35

.github/workflows/build.yaml

+2 −3
Original line number Diff line number Diff line
@@ -286,11 +286,12 @@ jobs: 
        deno-version: v2.x

    - uses: pnpm/action-setup@v4

      with:

        version: 10

        version: latest

    - uses: actions/setup-node@v4

      with:

        node-version: lts/*

        cache: pnpm

    - run: sudo npm install -g npm@latest && npm --version

    - if: github.event_name == 'push' && github.ref_type == 'branch'

      run: |

        jq \
@@ -378,7 +379,6 @@ jobs: 
        JSR_TOKEN: ${{ secrets.JSR_TOKEN }}

    - run: |

        set -ex

        npm config set //registry.npmjs.org/:_authToken "$NPM_AUTH_TOKEN"

        for pkg in fedify-*.tgz; do

          if [[ "$GITHUB_REF_TYPE" = "tag" ]]; then

            npm publish --logs-dir=. --provenance --access public "$pkg" \
@@ -402,7 +402,6 @@ jobs: 
          fi

        done

      env:

        NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

        PR_NUMBER: ${{ github.event.pull_request.number }}

    - if: github.event_name == 'pull_request_target'

      uses: thollander/actions-comment-pull-request@v3