Skip to content

chore(npm): Update release npm action to stop using tokens #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 13, 2025
Merged

chore(npm): Update release npm action to stop using tokens #653

merged 5 commits into from
Nov 13, 2025
+60 −62

Conversation

@gnbm
Copy link
Contributor

@gnbm gnbm commented Oct 30, 2025
edited
Loading

Pull request checklist

Please check if your PR fulfills the following requirements:

  • Docs have been reviewed and added / updated if needed (for bug fixes / features)
  • Build (npm run build) was run locally and any changes were pushed
  • Tests (npm test) were run locally and passed
  • Prettier (npm run prettier) was run locally and passed

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • Feature
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe): Workflow configuration update

What is the current behavior?

  • Some dependencies were outdated
  • Release workflows still pass long-lived npm tokens to the shared publish action, even though that action now relies on OIDC trusted publishing. This leaves unused secret references in the workflows and doesn’t fully enforce the token-free model.

GitHub Issue Number: N/A

What is the new behavior?

  • Updated test tooling:

    • sass-embedded to ^1.93.2
    • @rollup/plugin-node-resolve to ^16.0.3
    • @rollup/plugin-typescript to ^12.3.0
    • @stencil/core to ^4.38.2
    • @types/node to ^24.9.2
    • jest to ^30.2.0
    • prettier to ^3.6.2
    • rollup to ^4.52.5
    • terser to ^5.44.0
    • ts-jest to ^29.4.5
    • typescript to ~5.9.3

  • Removed the token input from release.yml so the job depends solely on OIDC.

  • Kept the PAT input used for tagging/releases while leaving the composite action to request npm tokens via OIDC.

  • Confirmed that the publish job retains permissions: id-token: write, satisfying npm’s trusted publisher guidance.

Does this introduce a breaking change?

  • Yes
  • No

Testing

  • Workflow changes only; no automated or manual tests were run. Consider triggering dev/stable release jobs to verify OIDC publishing end-to-end.

Other information

  • Aligns with npm trusted publisher recommendations (id-token: write, actions/setup-node with registry URL, npm ≥ 11.5.1, npm publish --provenance).

@gnbm gnbm added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 30, 2025
@gnbm gnbm marked this pull request as ready for review October 30, 2025 17:10
@gnbm gnbm requested a review from a team as a code owner October 30, 2025 17:10
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates dependencies and transitions the npm publishing workflow to use OIDC trusted publishers instead of long-lived tokens, improving security.

  • Updated multiple development and production dependencies to their latest versions
  • Migrated release workflows from token-based authentication to OIDC trusted publishing
  • Enhanced workflow step names with emoji prefixes for better readability

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
package.json Updated dependency versions including sass-embedded, build tools, testing frameworks, and type definitions; changed quote style in prettier script
package-lock.json Lockfile updates reflecting the new dependency versions from package.json
.github/workflows/release.yml Removed npm token parameters, switched to GITHUB_TOKEN, pinned publish action to specific commit, and added emoji prefixes to job/step names
.github/workflows/main.yml Added emoji prefixes to step names for improved readability
.github/workflows/build.yml Added emoji prefixes to step names for improved readability

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm requested a review from Copilot November 9, 2025 16:13
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gnbm gnbm merged commit 2a2816f into main Nov 13, 2025
4 checks passed
@gnbm gnbm deleted the gm/review-publish-npm-ga branch November 13, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@OS-jacobbell OS-jacobbell OS-jacobbell approved these changes

@christian-bromann christian-bromann Awaiting requested review from christian-bromann

@johnjenkins johnjenkins Awaiting requested review from johnjenkins

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gnbm @OS-jacobbell