Skip to content

Update release workflow to use trusted publishing #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
risantos wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update release workflow to use trusted publishing #52

risantos wants to merge 1 commit into from

Conversation

@risantos
Copy link
Member

@risantos risantos commented Jan 19, 2026

Description

@risantos risantos requested a review from a team as a code owner January 19, 2026 14:43
Copilot AI review requested due to automatic review settings January 19, 2026 14:43
@risantos risantos added the dependencies Pull requests that update a dependency file label Jan 19, 2026
@risantos risantos self-assigned this Jan 19, 2026
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release workflow to use OIDC-based trusted publishing for npm, which is more secure than using long-lived tokens. The changes include upgrading release-it to version 19.2.3, updating GitHub Actions to v6, and configuring the workflow with the necessary id-token: write permission.

Changes:

  • Updated release-it from 19.0.3 to 19.2.3 to support OIDC publishing
  • Configured GitHub workflow with OIDC permissions (id-token: write)
  • Updated GitHub Actions to v6 and Node.js to version 24
  • Removed manual npm token configuration in favor of automatic OIDC authentication
  • Added skipChecks: true to npm publishing configuration

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File Description
package.json Updated release-it dependency from ^19.0.3 to ^19.2.3
.release-it.js Added skipChecks: true to npm configuration
.github/workflows/release.yaml Updated to use OIDC authentication with id-token permission, upgraded actions to v6, and Node.js to v24
yarn.lock Updated all transitive dependencies from release-it and related packages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yaml
uses: actions/setup-node@v6
with:
node-version: 22
node-version: 24
Copy link

Copilot AI Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading from Node.js 22 to Node.js 24 is a significant version change. Node.js 24 was released in October 2024 and may not be LTS yet. Verify that all dependencies and tooling in this project are compatible with Node.js 24, or consider using Node.js 22 LTS or Node.js 20 LTS for stability.

Suggested change
node-version: 24
node-version: 22.x

Copilot uses AI. Check for mistakes.
.release-it.js
Comment on lines +20 to 23
publish: true,
skipChecks: true
}
};
Copy link

Copilot AI Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The skipChecks: true option bypasses important npm pre-publish checks. This setting should only be used if there's a specific reason to skip npm's built-in validation. Consider documenting why this is necessary or removing it to maintain standard npm publishing safety checks.

Suggested change
publish: true,
skipChecks: true
}
};
publish: true
}
};

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@franciscocardoso franciscocardoso Awaiting requested review from franciscocardoso

At least 1 approving review is required to merge this pull request.

Assignees

@risantos risantos

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risantos