Skip to content

Update GitHub Actions workflows for npm trusted publishers #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 23, 2025
Merged

Update GitHub Actions workflows for npm trusted publishers #6

merged 2 commits into from
Oct 23, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 22, 2025
edited by cursor bot
Loading

This PR modernizes the repository's GitHub Actions workflows to comply with the 2025 npm authentication and token management changes.

Changes Made

Action Version Upgrades

  • actions/checkout: Updated from v3 to v5 in both test and release jobs
  • actions/setup-node: Updated from v3 to v6
  • cycjimmy/semantic-release-action: Updated from v3.2.0 to v5.0.2

Node.js Version Management

  • Changed node-version from hardcoded 20 to lts/* to automatically use the latest LTS version, eliminating the need for manual version updates in the future

Semantic Release Configuration

  • Updated semantic_version from 17 to 25 to use the current major version

npm Authentication Migration

  • Removed NPM_TOKEN secret reference - npm releases now use GitHub's OIDC authentication for provenance
  • Added explicit permissions block to the release job:
    • contents: write - to publish GitHub releases
    • id-token: write - to enable OIDC for npm provenance
    • issues: write - to comment on released issues
    • pull-requests: write - to comment on released pull requests

Benefits

Enhanced Security: Uses GitHub's OIDC authentication instead of long-lived tokens
npm Provenance: Automatically attests to the origin of published packages
Future-Proof: Aligns with npm's current security best practices
Maintenance Reduction: Using lts/* eliminates manual Node.js version updates

Closes #[issue_number]

Original prompt

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the 2025 npm authentication and token management changes.

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

  1. Upgrade all actions/checkout steps to the latest major version (currently v5).

  2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

  3. Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use relative versions from lts. For example: [lts/-1, lts/*, latest] so we don't have to keep these versions updated in the future. If it's a single node version, then lts/* alone works.

  4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

  5. Update the semantic_version input to the current major (currently 25).

  6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

  7. Add explicit permissions to the semantic-release job:

    permissions:
  contents: write # to be able to publish a GitHub release
  id-token: write # to enable use of OIDC for npm provenance
  issues: write # to be able to comment on released issues
  pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #5

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Note

Modernizes release.yml to use npm OIDC with updated Actions and configs, removing NPM_TOKEN and upgrading Node/semantic-release.

  • GitHub Actions workflow (.github/workflows/release.yml):
    • Action upgrades:
      • actions/checkout: v3v5 (test and release jobs)
      • actions/setup-node: v3v6 with node-version: lts/*
      • cycjimmy/semantic-release-action: v3.2.0v5.0.2
    • Semantic Release:
      • semantic_version: 1725
    • Permissions (release job):
      • Added permissions: contents: write, id-token: write, issues: write, pull-requests: write
    • Auth/Env:
      • Removed NPM_TOKEN (use GitHub OIDC)

Written by Cursor Bugbot for commit 9d91b3d. This will update automatically on new commits. Configure here.

@kentcdodds kentcdodds mentioned this pull request Oct 23, 2025
Closed
@kentcdodds
Update GitHub Actions workflows for npm trusted publishers
9d91b3d 
Co-authored-by: kentcdodds <1500684+kentcdodds@users.noreply.github.com>
Copilot AI changed the title [WIP] Update GitHub Actions workflows to use trusted publishers Update GitHub Actions workflows for npm trusted publishers Oct 23, 2025
Copilot AI requested a review from kentcdodds October 23, 2025 00:03
Copilot finished work on behalf of kentcdodds October 23, 2025 00:03
@kentcdodds kentcdodds marked this pull request as ready for review October 23, 2025 00:03
@kentcdodds kentcdodds merged commit af611b1 into main Oct 23, 2025
5 checks passed
@kentcdodds kentcdodds deleted the copilot/update-github-actions-workflows branch October 23, 2025 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kentcdodds kentcdodds Awaiting requested review from kentcdodds

Assignees

@kentcdodds kentcdodds

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update to use trusted publishers

2 participants

@kentcdodds