Skip to content

ci: switch release publish to npm OIDC Trusted Publishing#101

Merged
JumpLink merged 1 commit into
mainfrom
ci/oidc-publish
Jun 16, 2026
Merged

ci: switch release publish to npm OIDC Trusted Publishing#101
JumpLink merged 1 commit into
mainfrom
ci/oidc-publish

Conversation

@JumpLink

@JumpLink JumpLink commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Problem

Release CI for 50.0.1 failed because NPM_TOKEN is empty/missing in the npm-release environment.

Fix

Switch from Yarn token-based publishing to npm OIDC Trusted Publishing (no long-lived secret needed).

What changed

  • Remove NPM_TOKEN env var and secret references entirely
  • Drop registry-url from actions/setup-node — when set, it injects a NODE_AUTH_TOKEN placeholder that makes npm skip OIDC and fall back to token auth (same pattern as gjsify/gjsify release.yml)
  • Switch from yarn workspace @girs/gnome-shell npm publish (no OIDC support in Yarn) to npm publish packages/gnome-shell (npm CLI v10+ exchanges the GitHub OIDC token automatically)
  • Move tag expression into an env: variable to avoid inline expression injection in run: commands

Required follow-up on npmjs.com

Before re-running a release, configure a Trusted Publisher for @girs/gnome-shell:

  1. Go to https://www.npmjs.com/package/@girs/gnome-shell/access
  2. Add a Trusted Publisher with:
    • Repository owner: gjsify
    • Repository name: gnome-shell
    • Workflow filename: release.yml
    • Environment: npm-release

Once configured, re-publish by re-creating the 50.0.1 release or tagging a new version.

@JumpLink
ci: switch release publish to npm OIDC Trusted Publishing
f6b4170 
Remove NPM_TOKEN secret dependency. npm CLI (v10+, shipped with Node
22) auto-exchanges the GitHub Actions OIDC token at npm's
/-/npm/v1/oidc/token endpoint when id-token: write is set and no
NODE_AUTH_TOKEN is present.

Key points:
- Drop registry-url from actions/setup-node to prevent the NODE_AUTH_TOKEN
  placeholder from suppressing OIDC exchange
- Switch from `yarn npm publish` (no OIDC support) to `npm publish`
- Move prerelease tag expression into an env var (avoid inline expression
  injection in run commands)
@JumpLink JumpLink requested review from Totto16, schnz and swsnr as code owners June 16, 2026 11:17
swsnr
swsnr approved these changes Jun 16, 2026
View reviewed changes

@swsnr swsnr left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too familiat with the whole npm publishing workflow, but looks solid I guess

@JumpLink JumpLink merged commit 4974737 into main Jun 16, 2026
3 checks passed
@JumpLink JumpLink deleted the ci/oidc-publish branch June 16, 2026 16:24
@JumpLink JumpLink mentioned this pull request Jun 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swsnr swsnr swsnr approved these changes

@Totto16 Totto16 Awaiting requested review from Totto16 Totto16 is a code owner

@schnz schnz Awaiting requested review from schnz schnz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JumpLink @swsnr