Skip to content

Remove token-based npm publishing, enforce OIDC-only trusted publishing#1185

Merged
FloEdelmann merged 1 commit into
mainfrom
copilot/disable-token-based-npm-release
Mar 31, 2026
Merged

Remove token-based npm publishing, enforce OIDC-only trusted publishing#1185
FloEdelmann merged 1 commit into
mainfrom
copilot/disable-token-based-npm-release

Conversation

Copilot AI commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

The release workflow was mixing token-based auth (NPM_API_TOKEN secret) with the already-configured OIDC publishing setup, leaving an unnecessary long-lived credential in the loop.

Changes

  • .github/workflows/release.yaml: Removed NODE_AUTH_TOKEN: '${{ secrets.NPM_API_TOKEN }}' env var from the publish step

The required OIDC infrastructure was already in place:

  • permissions: id-token: write
  • npm publish --provenance

With the token removed, all auth flows exclusively through the short-lived GitHub OIDC token.

@FloEdelmann FloEdelmann marked this pull request as ready for review March 31, 2026 08:38
@FloEdelmann FloEdelmann merged commit 8259ede into main Mar 31, 2026
8 checks passed
@FloEdelmann FloEdelmann deleted the copilot/disable-token-based-npm-release branch March 31, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants