chore(ci): Add trusted publishing (#1001)

dgilmanuni · web-flow · commit 2e4c64751945 · 2025-10-24T14:24:43.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,34 +14,25 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - name: Load secret
-        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
-        with:
-          # Export loaded secrets as environment variables
-          export-env: true
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          # You may need to change this to your vault name and secret name
-          # Refer to it by calling env.NPM_TOKEN
-          # This token is also limited by IP to ONLY work on the runner
-          NPM_TOKEN: op://npm-deploy/npm-runner-token/secret
+      - uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
 
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node
-        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           cache: yarn
-          node-version: 18
+          node-version: 20
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: yarn install --immutable --immutable-cache
 
+      - name: Install npm
+        run: npm install -g npm@latest
+
       - name: Release
         env:
-          NPM_CONFIG_USERCONFIG: /dev/null
-          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc && yarn publish
+        run: yarn publish
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -15,9 +15,11 @@ jobs:
         node: [ '10', '12', '14' ]
     name: Node ${{ matrix.node }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
         with:
           node-version: ${{ matrix.node }}
       - run: yarn install --frozen-lockfile
