chore: npm auth to OIDC (#639)

alexmance · web-flow · commit b386966ede40 · 2025-09-19T10:35:11.000-05:00
* use github_token instead of PAT

* update npm to use latest version

* add provenance feat to package.json
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -13,21 +13,31 @@ on:
 jobs:
   ci:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
     if: |
       github.event.pull_request.head.repo.full_name == github.repository ||
       (github.ref == 'refs/heads/master' && github.event_name == 'push')
     steps:
       - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
         with:
-          token: '${{ secrets.BOT_TOKEN }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          fetch-depth: 0
+
+      - name: Setup Node.js and Authenticate with npm
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update npm to the latest version
+        run: npm install -g npm@latest
 
       - name: Build packages
         uses: ./.github/actions/build
 
-      - name: prepare npm access
-        run: echo '//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}' >> ~/.npmrc
-      # https://github.com/lerna/lerna/issues/2788 --no-verify-access
-      # https://github.com/lerna/lerna/issues/1893 --preid ${{ github.sha }}
       - name: prerelease
         if: |
           !contains(github.head_ref, 'dependabot') &&
@@ -49,9 +59,9 @@ jobs:
           github.event_name == 'push' &&
           github.ref == 'refs/heads/master'
         env:
-          GH_TOKEN: '${{ secrets.BOT_TOKEN }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
         run: |
           git config user.name "GitHub Actions Build"
           git config user.email "developers@aave.com"
           yarn release:check
-          yarn release:latest --yes --no-verify-access
+          yarn release:latest --yes --no-verify-access --npm-publish-args="--provenance"
diff --git a/package.json b/package.json
@@ -21,7 +21,7 @@
     "commit": "git-cz",
     "release:check": "lerna changed",
     "release:latest": "lerna publish --yes --conventional-commits --create-release github --message 'chore(release): publish [ci skip]'",
-    "release:canary": "lerna publish --canary --ignore-scripts",
+    "release:canary": "NPM_CONFIG_PROVENANCE=true lerna publish --canary --ignore-scripts",
     "prepare": "husky install"
   },
   "workspaces": [
