Skip to content

chore: migrate npm publish to OIDC trusted publishing#1413

Open
bang9 wants to merge 2 commits intomainfrom
mission/f157b93f
Open

chore: migrate npm publish to OIDC trusted publishing#1413
bang9 wants to merge 2 commits intomainfrom
mission/f157b93f

Conversation

@bang9
Copy link
Copy Markdown
Contributor

@bang9 bang9 commented Mar 27, 2026

chore: migrate npm publish to OIDC trusted publishing

  • Remove npm_token secret and .npmrc auth setup
  • Add OIDC permissions (id-token: write) for trusted publishing
  • Add --provenance flag for public repo attestation
  • Bump Node.js from 18 to 24 (npm 11+ required for OIDC)

Changelogs

  • Build configuration change (internal)

Checklist

  • All tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • Public components / utils / props are appropriately exported
  • I have added necessary documentation (if appropriate)

npm package settings에서 GitHub Actions OIDC trusted publisher 연동 필요:

  • Workflow: package-publish.yml

@bang9 @claude
chore: migrate npm publish to OIDC trusted publishing
b01e57c 
Remove NPM_TOKEN secret and .npmrc auth setup in favor of GitHub Actions
OIDC-based authentication. Add --provenance flag for public repo attestation.
Bump Node.js to 24 for npm 11+ OIDC support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 27, 2026
edited
Loading

Deploy Preview for sendbird-uikit-react ready!

Name Link
🔨 Latest commit 8bf0cd9
🔍 Latest deploy log https://app.netlify.com/projects/sendbird-uikit-react/deploys/69c6ab87d28c02000811681f
😎 Deploy Preview https://deploy-preview-1413--sendbird-uikit-react.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

semgrep-code-sendbird[bot]
semgrep-code-sendbird bot reviewed Mar 27, 2026
View reviewed changes
semgrep-code-sendbird[bot]
semgrep-code-sendbird bot reviewed Mar 27, 2026
View reviewed changes
@bang9 @claude
fix: use env variable for npm_tag to prevent shell injection
8bf0cd9 
Move github.event.inputs.npm_tag to an intermediate env variable
to avoid direct interpolation in run: steps, as flagged by Semgrep.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-code-sendbird semgrep-code-sendbird[bot] semgrep-code-sendbird[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bang9