fix(ci): use OIDC for npm auth, remove expired NPM_TOKEN#638
Merged
Conversation
The semantic-release dry-run in the test job was failing because it lacked id-token:write permission for OIDC and fell back to an expired NPM_TOKEN. Since npm trusted publishers with OIDC is already configured for the release job, grant the same permission to the test job and remove the NPM_TOKEN secret references from both jobs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…push access The dry-run performs `git push --dry-run` to verify permissions, which requires write access to repository contents. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>
|
This PR will trigger a patch release when merged. |
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Actions workflow to authenticate npm operations via OIDC (trusted publishers) instead of relying on an expired NPM_TOKEN, unblocking semantic-release dry-runs and releases.
Changes:
- Add
id-token: writepermission to thetestjob for npm OIDC auth during semantic-release dry-run. - Remove
NPM_TOKENsecret usage from semantic-release dry-run and release steps.
Comments suppressed due to low confidence (1)
.github/workflows/main.yaml:28
- Step name says "Use Node.js 20.x" but the configured version is
node-version: '24.x'. This mismatch makes it harder to understand what runtime CI is actually using; please update the step name or the configured node version so they agree.
- name: Use Node.js 20.x
uses: actions/setup-node@v6
with:
node-version: '24.x'
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
🎉 This PR is included in version 3.1.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
id-token: writepermission to thetestjob so the semantic-release dry-run can authenticate via npm OIDC trusted publishersNPM_TOKENsecret references from bothtestandreleasejobs since OIDC replaces token-based authThis unblocks PR #635 and any other PRs blocked by the expired
ADOBE_BOT_NPM_TOKENsecret.Test plan
🤖 Generated with Claude Code