fix(ci-cd): trusted publisher

changed the provenance

GH-269

Author: yeshamavani

.github/workflows/release.yaml

@@ -1,24 +1,32 @@
 # This Manually Executable Workflow is for NPM Releases
-
 name: Release [Manual]
 on: workflow_dispatch
+
 permissions:
   contents: write
-  id-token: write   # required for trusted publishing
+  id-token: write   # REQUIRED for trusted publishing
+
 jobs:
   Release:
     runs-on: ubuntu-latest
+    # Specify environment if you configured one in npm
+    # environment: production  # Uncomment if you set an environment name in npm trusted publisher settings
+
     steps:
       - uses: actions/checkout@v3
         with:
           # fetch-depth is necessary to get all tags
           # otherwise lerna can't detect the changes and will end up bumping the versions for all packages
           fetch-depth: 0
           token: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
+
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4  # ✅ UPDATED to v4
         with:
           node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+          always-auth: false  # ✅ ADD THIS - important for trusted publishing
+
       - name: Configure CI Git User
         run: |
           git config --global user.name $CONFIG_USERNAME
@@ -28,29 +36,27 @@ jobs:
           GITHUB_PAT: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
           CONFIG_USERNAME: ${{ vars.RELEASE_COMMIT_USERNAME }}
           CONFIG_EMAIL: ${{ vars.RELEASE_COMMIT_EMAIL }}
-      # - name: Authenticate with Registry
-      #   run: |
-      #     echo "@${NPM_USERNAME}:registry=https://registry.npmjs.org/" > .npmrc
-      #     echo "registry=https://registry.npmjs.org/" >> .npmrc
-      #     echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
-      #     npm whoami
-      #   env:
-      #     NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      #     NPM_USERNAME: ${{ vars.NPM_USERNAME }}
 
       - name: Install 📌
-        run: |
-          npm install
+        run: npm install
+
       - name: Test 🔧
         run: npm run test
+
+      - name: Debug npm config
+        run: |
+          npm config list
+          echo "Registry link ---: $(npm config get registry)" # remove this later
+
+      # ✅ CHANGED THIS SECTION
       - name: Semantic Publish to NPM 🚀
-        # "HUSKY=0" disables pre-commit-msg check (Needed in order to allow semantic-release perform the release commit)
         run: |
           npm config set provenance true
           HUSKY=0 npx semantic-release --debug
         env:
           GH_TOKEN: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
-          # npm token not needed got trusted publishing
-          # NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # ✅ REMOVED: NPM_TOKEN is not needed with trusted publishing
+          # The id-token: write permission above handles authentication
+
       - name: Changelog 📝
         run: cd src/release_notes && HUSKY=0 node release-notes.js

package-lock.json

@@ -261,7 +261,14 @@
         }
       ],
       "@semantic-release/release-notes-generator",
+      [
       "@semantic-release/npm",
+      {
+        "npmPublish": true,
+        "pkgRoot": ".",
+        "tarballDir": "dist"
+      }
+    ],
       [
         "@semantic-release/git",
         {
@@ -274,6 +281,6 @@
       ],
       "@semantic-release/github"
     ],
-    "repositoryUrl": "git@github.com:sourcefuse/loopback4-authentication.git"
+    "repositoryUrl": "https://github.com/sourcefuse/loopback4-authentication.git"
   }
 }