ci: fix automated releases

[matejchalk]

• Closes Automated releases #1114
• Closes NPM Provenance - a build signature badge #893

Changes

• Enabled previously disabled release.yml workflow.

• Removed NPM_TOKEN secret. Instead, the release.yml workflow is configured as a trusted publisher and uses OIDC authentication. This is configured in the Settings tab for each package:
  

  • Provenance attestations are now automatically generated for all packages, see example:
    

• Removed unnecessary GitHub App authentication. The id-token: write (for OIDC) and contents: write (for GitHub Release) permissions are sufficient.
  

• Removed unnecessary dry-run logic and workflow-dispatch. It was overly complex. And, in practice, it doesn't catch many errors anyway.

• Configured concurrency to prevent parallel releases.

• Tested with an alpha release (0.79.2-alpha.1). Versioning, changelogs, release, and npm publish all worked correctly (see CI job) 🎉

  • Also tested that workflow passes without changes when there's nothing to release (see CI job).

---

Edit: Had to release version 0.79.2, as it turns out our E2E tests break when there's a pre-release version 😬 Reported as a bug: push-based/nx-verdaccio#94

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 55f7c06

Command	Status	Duration	Result
nx affected -t e2e-test --parallel=1	✅ Succeeded	10m 54s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-23 12:29:47 UTC

[pkg-pr-new]

Open in StackBlitz

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1117

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1117

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1117

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1117

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1117

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1117

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1117

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1117

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1117

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1117

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1117

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1117

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1117

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1117

commit: 55f7c06

[github-actions]

Code PushUp

🤨 Code PushUp report has both improvements and regressions – compared current commit bfc68ed with previous commit 3a1e2f6.

🕵️ See full comparison in Code PushUp portal 🔍

🏷️ Categories

🏷️ Category	⭐ Previous score	⭐ Current score	🔄 Score change
Performance	🔴 42	🔴 40
Code coverage	🟡 90	🟡 90	–
Security	🟡 56	🟡 56	–
Updates	🟡 85	🟡 85	–
Accessibility	🟢 92	🟢 92	–
Best Practices	🟢 100	🟢 100	–
SEO	🟡 61	🟡 61	–
Type Safety	🟢 100	🟢 100	–
Bug prevention	🟢 100	🟢 100	–
Miscellaneous	🟢 100	🟢 100	–
Code style	🟢 100	🟢 100	–
Documentation	🔴 24	🔴 24	–

👎 1 group regressed, 👍 1 audit improved, 👎 3 audits regressed, 15 audits changed without impacting score

🗃️ Groups

🔌 Plugin	🗃️ Group	⭐ Previous score	⭐ Current score	🔄 Score change
Lighthouse	Performance	🔴 42	🔴 40

20 other groups are unchanged.

🛡️ Audits

🔌 Plugin	🛡️ Audit	📏 Previous value	📏 Current value	🔄 Value change
Lighthouse	Initial server response time was short	🟩 Root document took 370 ms	🟥 Root document took 660 ms
Lighthouse	Speed Index	🟨 5.0 s	🟥 6.2 s
Lighthouse	First Contentful Paint	🟨 2.8 s	🟥 3.1 s
Lighthouse	Total Blocking Time	🟥 1,290 ms	🟥 1,170 ms
Lighthouse	Avoids enormous network payloads	🟩 Total size was 2,027 KiB	🟩 Total size was 2,030 KiB
Lighthouse	Uses efficient cache policy on static assets	🟨 31 resources found	🟨 30 resources found
Lighthouse	Minimizes main-thread work	🟥 9.7 s	🟥 9.2 s
Lighthouse	Largest Contentful Paint	🟥 10.7 s	🟥 11.1 s
Lighthouse	Time to Interactive	🟥 12.4 s	🟥 12.6 s
Lighthouse	Metrics	🟩 100%	🟩 100%
Lighthouse	Remove duplicate modules in JavaScript bundles	🟥 Potential savings of 98 KiB	🟥 Potential savings of 96 KiB
Lighthouse	Reduce unused JavaScript	🟥 Potential savings of 155 KiB	🟥 Potential savings of 178 KiB
Lighthouse	Server Backend Latencies	🟩 1,450 ms	🟩 1,520 ms
Lighthouse	JavaScript execution time	🟥 3.8 s	🟥 3.8 s
Lighthouse	Avoids an excessive DOM size	🟥 2,306 elements	🟥 2,263 elements
Lighthouse	Network Round Trip Times	🟩 10 ms	🟩 20 ms
Lighthouse	Reduce unused CSS	🟥 Potential savings of 102 KiB	🟥 Potential savings of 102 KiB
Lighthouse	Max Potential First Input Delay	🟥 780 ms	🟥 780 ms
Code coverage	Branch coverage	🟨 85.5 %	🟨 85.5 %

591 other audits are unchanged.