Skip to content

Commit 47e86c7

Browse files
jakebaileyjakebailey
committed
Use OIDC for publishing
1 parent 597a27c commit 47e86c7

File tree

2 files changed

+33
-15
lines changed

2 files changed

+33
-15
lines changed

.changeset/salty-bugs-act.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'hereby': patch
3+
---
4+
5+
Enable OIDC publishing

.github/workflows/release.yml

Lines changed: 28 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -23,22 +23,35 @@ jobs:
2323
publish:
2424
needs: [build]
2525
runs-on: ubuntu-latest
26+
27+
permissions:
28+
id-token: write
29+
contents: read
30+
2631
steps:
27-
- name: Set up Node registry authentication
28-
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
32+
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
2933
with:
30-
node-version: 22.20.0
31-
registry-url: 'https://registry.npmjs.org'
34+
node-version: '*'
35+
36+
- run: npm install -g npm@latest
3237

33-
- name: publish
34-
id: publish
35-
uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
38+
- name: Download tarball
39+
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
3640
with:
37-
access: public
38-
node-auth-token: ${{ secrets.NPM_TOKEN }}
39-
package-name: ${{ needs.build.outputs.package-name }}
40-
package-download-name: ${{ needs.build.outputs.package-download-name }}
41-
package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }}
42-
provenance-name: ${{ needs.build.outputs.provenance-name }}
43-
provenance-download-name: ${{ needs.build.outputs.provenance-download-name }}
44-
provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
41+
name: ${{ needs.build.outputs.package-download-name }}
42+
path: ${{ needs.build.outputs.package-name }}
43+
sha256: ${{ needs.build.outputs.package-download-sha256 }}
44+
45+
- name: Download provenance
46+
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
47+
with:
48+
name: ${{ needs.build.outputs.provenance-download-name }}
49+
path: 'attestations'
50+
sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
51+
52+
- name: Publish the package
53+
env:
54+
TARBALL_PATH: '${{ needs.build.outputs.package-name }}'
55+
PROVENANCE_PATH: './attestations/${{ needs.build.outputs.provenance-name }}'
56+
run: |
57+
npm publish "${TARBALL_PATH}" --access=public --provenance-file="${PROVENANCE_PATH}"

0 commit comments

Comments
 (0)