Use npm trusted publishing for package releases

hillna · hillna · commit 3286fd9501f7 · 2026-01-12T17:34:25.000-05:00
- Add OIDC permissions (id-token: write, contents: read) for trusted publishing
- Replace NODE_AUTH_TOKEN with npx npm@latest publish --provenance
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,13 +13,14 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      contents: read
       # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6
       - run: corepack enable
-      - uses: actions/setup-node@v4.1.0
+      - uses: actions/setup-node@v6
         with:
           node-version: 22.x
           registry-url: https://registry.npmjs.org
@@ -33,7 +34,4 @@ jobs:
       - run: yarn pack
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        # `yarn npm publish` does not currently support --provenance: https://github.com/yarnpkg/berry/issues/5430
-        run: npm publish package.tgz --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+        run: npx npm@latest publish package.tgz --provenance --access public
diff --git a/.gitignore b/.gitignore
@@ -110,3 +110,4 @@ dist
 !.yarn/plugins
 !.yarn/sdks
 *.tgz
+.DS_Store
diff --git a/package.json b/package.json
@@ -5,7 +5,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/foxglove/message-definition.git"
+    "url": "git+https://github.com/foxglove/message-definition.git"
   },
   "keywords": [
     "schema",
