From c0b55d5b7dd26d6bb680ab6f161906b1035a38a6 Mon Sep 17 00:00:00 2001 From: dominikg Date: Tue, 9 Sep 2025 20:42:32 +0200 Subject: [PATCH] refactor(release): use node24, enable provenance, set permissions and remove NPM_TOKEN to allow oidc publishing --- .github/workflows/release.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 981df5d..75c81d5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,9 +4,14 @@ on: push: branches: - master +permissions: {} jobs: release: + permissions: + contents: write # to create release (changesets/action) + id-token: write # OpenID Connect token needed for provenance + pull-requests: write # to create pull request (changesets/action) # prevents this action from running on forks if: github.repository == 'sveltejs/svelte-hmr' name: Release @@ -14,7 +19,7 @@ jobs: strategy: matrix: # pseudo-matrix for convenience, NEVER use more than a single combination - node: [20] + node: [24] os: [ubuntu-latest] steps: - name: checkout @@ -39,13 +44,6 @@ jobs: - name: install run: pnpm install --frozen-lockfile --prefer-offline - - name: Creating .npmrc - run: | - cat << EOF > "$HOME/.npmrc" - //registry.npmjs.org/:_authToken=$NPM_TOKEN - EOF - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Create Release Pull Request or Publish to npm id: changesets uses: changesets/action@v1 @@ -54,7 +52,7 @@ jobs: publish: pnpm release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true # TODO alert discord # - name: Send a Slack notification if a publish happens