Skip to content

Commit 0ef1674

Browse files
cjheppellclaude
andauthored
fix(ci): migrate to NPM OIDC trusted publishing (#293)
The release job now fetches a short-lived OIDC token before publishing instead of relying on a stored write NPM token. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 4b9c782 commit 0ef1674

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

.circleci/config.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,9 @@ jobs:
210210
- node_install_packages
211211
- run:
212212
name: Publish to GitHub
213-
command: npx semantic-release
213+
command: |
214+
export NPM_ID_TOKEN=$(circleci run oidc get --claims '{"aud": "npm:registry.npmjs.org"}')
215+
npx semantic-release
214216
215217
workflows:
216218
version: 2
@@ -286,7 +288,9 @@ workflows:
286288

287289
- release:
288290
name: Release
289-
context: nodejs-app-release
291+
context:
292+
- nodejs-install
293+
- github-release
290294
node_version: "lts"
291295
requires:
292296
- test-unix-unit

0 commit comments

Comments
 (0)