Skip to content

Commit 3c68717

Browse files
smurchingclaude
smurching
and
claude
committed
Switch npm release workflows to Trusted Publishing with GitHub-hosted runners
- Replace databricks-protected-runner-group with ubuntu-latest - Add id-token: write permission for OIDC - Add npm update step (Trusted Publishing requires npm >= 11.5.1) - Replace NPM_TOKEN secret with --provenance flag on npm publish Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 58076ba commit 3c68717

2 files changed

Lines changed: 14 additions & 18 deletions

File tree

.github/workflows/release-ai-sdk-provider.yml

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,10 @@ on:
1414

1515
jobs:
1616
release:
17-
runs-on:
18-
group: databricks-protected-runner-group
19-
labels: linux-ubuntu-latest
17+
runs-on: ubuntu-latest
2018

2119
permissions:
20+
id-token: write
2221
contents: write
2322
environment:
2423
name: ${{ (github.event_name == 'push' || inputs.production) && 'npm' || 'npm-next' }}
@@ -34,6 +33,9 @@ jobs:
3433
node-version: "20"
3534
registry-url: "https://registry.npmjs.org"
3635

36+
- name: Update npm
37+
run: npm install -g npm@latest
38+
3739
- name: Install dependencies
3840
run: rm -f package-lock.json && npm install
3941

@@ -98,15 +100,11 @@ jobs:
98100

99101
- name: Publish to npm
100102
if: github.event_name == 'push' || inputs.production
101-
run: npm publish --access public --ignore-scripts
102-
env:
103-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
103+
run: npm publish --access public --provenance --ignore-scripts
104104

105105
- name: Publish to npm (next tag)
106106
if: github.event_name != 'push' && !inputs.production
107-
run: npm publish --access public --tag next --ignore-scripts
108-
env:
109-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
107+
run: npm publish --access public --tag next --provenance --ignore-scripts
110108

111109
- name: Wait for registry propagation
112110
run: sleep 15

.github/workflows/release-langchainjs.yml

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,10 @@ on:
1414

1515
jobs:
1616
release:
17-
runs-on:
18-
group: databricks-protected-runner-group
19-
labels: linux-ubuntu-latest
17+
runs-on: ubuntu-latest
2018

2119
permissions:
20+
id-token: write
2221
contents: write
2322
environment:
2423
name: ${{ (github.event_name == 'push' || inputs.production) && 'npm-langchainjs' || 'npm-next-langchainjs' }}
@@ -34,6 +33,9 @@ jobs:
3433
node-version: "20"
3534
registry-url: "https://registry.npmjs.org"
3635

36+
- name: Update npm
37+
run: npm install -g npm@latest
38+
3739
- name: Install dependencies
3840
run: rm -f package-lock.json && npm install
3941

@@ -101,15 +103,11 @@ jobs:
101103

102104
- name: Publish to npm
103105
if: github.event_name == 'push' || inputs.production
104-
run: npm publish --access public --ignore-scripts
105-
env:
106-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
106+
run: npm publish --access public --provenance --ignore-scripts
107107

108108
- name: Publish to npm (next tag)
109109
if: github.event_name != 'push' && !inputs.production
110-
run: npm publish --access public --tag next --ignore-scripts
111-
env:
112-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
110+
run: npm publish --access public --tag next --provenance --ignore-scripts
113111

114112
- name: Wait for registry propagation
115113
run: sleep 15

0 commit comments

Comments
 (0)