Setup trusted publishing

firefoxic · firefoxic · commit 00c269d2e432 · 2025-12-09T00:28:23.000+03:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -23,8 +23,9 @@ jobs:
         with:
           node-version-file: package.json
           cache: pnpm
+          registry-url: 'https://registry.npmjs.org'
+      - run: pnpm add -g npm@latest
       - run: pnpm install
       - run: ./release-it.sh
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and 
 
 ## [Unreleased]
 
+### Changed
+
+- The package now uses [trusted publishing](https://docs.npmjs.com/trusted-publishers) instead of NPM tokens. You should remove the line with `NPM_TOKEN` from your release pipeline (and also remove the `NPM_TOKEN` from secrets of your repository) and add a line with `registry-url: 'https://registry.npmjs.org'` (see the changes to the `release.yaml` file as an example).
+
 ## [3.0.0] — 2025–09–24
 
 ### Changed
diff --git a/README.md b/README.md
@@ -25,7 +25,6 @@ Or add running with two secret tokens in your CI pipeline:
 ```yaml
 - run: pnpm dlx @firefoxic/release-it
   env:
-    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
diff --git a/release-it.sh b/release-it.sh
@@ -34,8 +34,6 @@ validate_release_branch() {
 
 setup_authentication() {
 	if [[ "${CI:-}" == "true" ]]; then
-		echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
-
 		git config --global user.email "actions@users.noreply.github.com"
 		git config --global user.name "GitHub Actions"
 	else
@@ -168,7 +166,7 @@ update-changelog() {
 
 publish_to_npm() {
 	if [[ "${CI:-}" == "true" ]]; then
-		pnpm publish --provenance --access public --no-git-checks
+		npm publish --provenance --access public --no-git-checks
 	else
 		pnpm publish --access public --no-git-checks --otp="$NPM_OTP"
 	fi
@@ -225,7 +223,7 @@ VERSION DETECTION:
 
 AUTHENTICATION:
     • Local: Enter OTP interactively
-    • CI: Uses NPM_TOKEN secret automatically
+    • CI: Uses NPM trusted publishing
     • GitHub Release: Requires 'gh auth login' or GITHUB_TOKEN
 
 EXAMPLES:
