chore: add a new workflow for npm publish with trusted publishing

sarayev · sarayev · commit f8969fa66345 · 2026-01-02T16:25:27.000+01:00
diff --git a/.github/workflows/callable-npm-publish-lts-release.yml b/.github/workflows/callable-npm-publish-lts-release.yml
@@ -10,7 +10,17 @@ on:
 jobs:
   deploy:
     name: Publish to Amplify Package
+    secrets: inherit
+    uses: ./.github/workflows/callable-npm-publish-trusted.yml
+    with:
+      target: ${{ inputs.target }}
+      github_user: ${{ vars.GH_USER}}
+      github_email: ${{ vars.GH_EMAIL}}
+
+  post-deploy:
+    name: Post-deployment tasks
     runs-on: ubuntu-latest
+    needs: deploy
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -20,17 +30,6 @@ jobs:
           # Minimal depth 0 so we can fetch all git tags.
           fetch-depth: 0
 
-      - name: Setup node and build the repository
-        uses: ./amplify-js/.github/actions/node-and-build
-
-      - name: Run npm publish
-        uses: ./amplify-js/.github/actions/npm-publish
-        with:
-          target: ${{ inputs.target }}
-          npm_token: ${{ secrets.NPM_TOKEN }}
-          github_user: ${{ vars.GH_USER}}
-          github_email: ${{ vars.GH_EMAIL}}
-
       - name: Set github commit user
         env:
           GITHUB_EMAIL: ${{ vars.GH_EMAIL }}
@@ -39,6 +38,9 @@ jobs:
           git config --global user.email $GITHUB_EMAIL
           git config --global user.name $GITHUB_USER
 
+      - name: Setup node for docs generation
+        uses: ./amplify-js/.github/actions/node-and-build
+
       - name: Update API documentation
         working-directory: ./amplify-js
         run: |
diff --git a/.github/workflows/callable-npm-publish-preid.yml b/.github/workflows/callable-npm-publish-preid.yml
@@ -12,8 +12,8 @@ on:
         type: boolean
 
 jobs:
-  deploy:
-    name: Publish to Amplify Package
+  validate-preid:
+    name: Validate preid
     runs-on: ubuntu-latest
     steps:
       - name: Forbidden and protected preid protection
@@ -30,19 +30,13 @@ jobs:
           [[ $ALLOW_PROTECTED_PREIDS == 'false' ]] && for e in $PROTECTED_PREIDS; do [[ $PREID == $e ]] && echo "$PREID is protected from preid release" && exit 1; done
           echo "$PREID is allowed for preid release"
 
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          path: amplify-js
-
-      - name: Setup node and build the repository
-        uses: ./amplify-js/.github/actions/node-and-build
-
-      - name: Run npm publish
-        uses: ./amplify-js/.github/actions/npm-publish
-        with:
-          target: preid
-          preid: ${{ inputs.preid }}
-          npm_token: ${{ secrets.NPM_TOKEN }}
-          github_user: ${{ vars.GH_USER}}
-          github_email: ${{ vars.GH_EMAIL}}
+  deploy:
+    name: Publish to Amplify Package
+    needs: validate-preid
+    secrets: inherit
+    uses: ./.github/workflows/callable-npm-publish-trusted.yml
+    with:
+      target: preid
+      preid: ${{ inputs.preid }}
+      github_user: ${{ vars.GH_USER}}
+      github_email: ${{ vars.GH_EMAIL}}
diff --git a/.github/workflows/callable-npm-publish-release.yml b/.github/workflows/callable-npm-publish-release.yml
@@ -16,8 +16,18 @@ jobs:
 
   deploy:
     name: Publish to Amplify Package
-    runs-on: ubuntu-latest
     needs: deploy-prep
+    secrets: inherit
+    uses: ./.github/workflows/callable-npm-publish-trusted.yml
+    with:
+      target: release
+      github_user: ${{ vars.GH_USER}}
+      github_email: ${{ vars.GH_EMAIL}}
+
+  post-deploy:
+    name: Post-deployment tasks
+    runs-on: ubuntu-latest
+    needs: [deploy-prep, deploy]
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -27,17 +37,6 @@ jobs:
           # Minimal depth 0 so we can fetch all git tags.
           fetch-depth: 0
 
-      - name: Setup node and build the repository
-        uses: ./amplify-js/.github/actions/node-and-build
-
-      - name: Run npm publish
-        uses: ./amplify-js/.github/actions/npm-publish
-        with:
-          target: release
-          npm_token: ${{ secrets.NPM_TOKEN }}
-          github_user: ${{ vars.GH_USER}}
-          github_email: ${{ vars.GH_EMAIL}}
-
       - name: Set github commit user
         env:
           GITHUB_EMAIL: ${{ vars.GH_EMAIL }}
@@ -54,6 +53,9 @@ jobs:
           RELEASE_COMMIT_MESSAGE=$(git log -n 1 --skip 1 --pretty=oneline)
           if [[ $RELEASE_COMMIT_MESSAGE = *release\(required\)* ]]; then git tag -f required-release $PUBLISH_COMMIT_HASH; fi
 
+      - name: Setup node for docs generation
+        uses: ./amplify-js/.github/actions/node-and-build
+
       - name: Update API documentation
         working-directory: ./amplify-js
         run: |
@@ -75,4 +77,4 @@ jobs:
         run: |
           git checkout -b $TEMP_BRANCH_NAME
           git push origin $TEMP_BRANCH_NAME
-          gh pr create -B main -H $TEMP_BRANCH_NAME --title 'chore: Merge release into main' --body 'Merge the recently completed release back into the main development branch. Generated by the callable-npm-publish-release workflow.'          
+          gh pr create -B main -H $TEMP_BRANCH_NAME --title 'chore: Merge release into main' --body 'Merge the recently completed release back into the main development branch. Generated by the callable-npm-publish-release workflow.'
diff --git a/.github/workflows/callable-npm-publish-trusted.yml b/.github/workflows/callable-npm-publish-trusted.yml
@@ -0,0 +1,60 @@
+name: Trusted npm publisher with OIDC authentication
+
+on:
+  workflow_call:
+    inputs:
+      github_user:
+        description: The git user to make commits with
+        required: true
+        type: string
+      github_email:
+        description: The git email to make commits with
+        required: true
+        type: string
+      target:
+        description: The release process target (either release or preid)
+        required: true
+        type: string
+      preid:
+        description: The preid to release to when the target is preid
+        required: false
+        type: string
+
+jobs:
+  publish:
+    name: Publish to npm with trusted authentication
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for npm trusted publishers
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: amplify-js
+          token: ${{ secrets.GH_TOKEN_AMPLIFY_JS_WRITE }}
+          # Minimal depth 0 so we can fetch all git tags.
+          fetch-depth: 0
+
+      - name: Setup node and build the repository
+        uses: ./amplify-js/.github/actions/node-and-build
+
+      - name: Authenticate with npm (trusted publishers)
+        id: npm-auth
+        run: |
+          if [ -n "$NPM_TOKEN" ]; then
+            echo "Using npm trusted publishers authentication"
+            echo "auth_token=$NPM_TOKEN" >> "$GITHUB_OUTPUT"
+          else
+            echo "Error: NPM_TOKEN not provided by trusted publishers"
+            exit 1
+          fi
+
+      - name: Run npm publish
+        uses: ./amplify-js/.github/actions/npm-publish
+        with:
+          target: ${{ inputs.target }}
+          preid: ${{ inputs.preid }}
+          npm_token: ${{ steps.npm-auth.outputs.auth_token }}
+          github_user: ${{ inputs.github_user }}
+          github_email: ${{ inputs.github_email }}
