From d456da1a722a6bf7682e2a9493a887133a14d988 Mon Sep 17 00:00:00 2001 From: Mikalai Silivonik Date: Thu, 4 Jun 2026 18:09:44 -0400 Subject: [PATCH] ci: publish to npm via OIDC Trusted Publishing Switch the npm publish workflow from a long-lived NPM_TOKEN secret to short-lived OIDC tokens via npm Trusted Publishing. Grant id-token: write, upgrade npm to @latest (Trusted Publishing needs npm >= 11.5.1), drop NODE_AUTH_TOKEN, and add --provenance for attestation. Required setup on npmjs.com before the next release tag: 1. npmjs.com -> @snap/react-camera-kit settings -> Publishing access -> Add trusted publisher -> GitHub Actions 2. Org: Snapchat, Repo: react-camera-kit, Workflow filename: publish.yml, Environment: blank 3. After the first successful OIDC publish, delete the NPM_TOKEN repo secret. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fbe2af3..067ee6c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,6 +10,9 @@ jobs: publish: runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read + id-token: write steps: - name: Checkout code uses: actions/checkout@v4 @@ -21,6 +24,9 @@ jobs: cache: npm registry-url: "https://registry.npmjs.org/" + - name: Upgrade npm for Trusted Publishing + run: npm install -g npm@latest + - name: Determine pre-release tag run: | TAG_NAME=${GITHUB_REF_NAME} @@ -50,6 +56,4 @@ jobs: run: npm run build - name: Publish - run: npm publish --access public --tag ${{ env.tag }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --provenance --access public --tag ${{ env.tag }}