Skip to content

Migrate to NPM trusted publishing#153

Merged
dmattia merged 2 commits intomainfrom
copilot/use-npm-trusted-publishing
Dec 19, 2025
Merged

Migrate to NPM trusted publishing#153
dmattia merged 2 commits intomainfrom
copilot/use-npm-trusted-publishing

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 18, 2025
edited
Loading

Replaces NPM_TOKEN secret authentication with OIDC-based trusted publishing for npm registry. GitHub Packages publishing remains unchanged.

Changes

  • setup-node: Upgraded to v6 with npm@11.5.1 for trusted publisher support
  • Publish job: Added id-token: write permission, removed NPM_TOKEN configuration step, set NODE_AUTH_TOKEN="" for npm publish
  • Version: Bumped to 6.1.3

Publishing Flow

# Before: Token-based
- name: Configure npm authentication
  run: pnpm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
- name: Publish to npm
  run: pnpm publish

# After: OIDC-based trusted publishing
- name: Publish to npm
  run: pnpm publish
  env:
    NODE_AUTH_TOKEN: ""

GitHub Packages continues using GITHUB_TOKEN as before.

Original prompt

This section details on the original issue you should resolve

<issue_title>@copilot use npm trusted publishing</issue_title>
<issue_description>- make sure we use actions/setup-node@v6, not older versions

  • after calling setup-node, run this code:
    # See: https://docs.npmjs.com/trusted-publishers
    # See: https://github.com/actions/setup-node/issues/1445
    - name: Set npm to version that supports trusted publishers
      run: npm install -g npm@11.5.1
      shell: bash
  • set permissions on the github workflow to:
permissions:
  id-token: write
  contents: read
  packages: write
  • when calling pnpm publish to npm, set NODE_AUTH_TOKEN=""
  • bump the version in package.json
  • remove npm authentication using NPM_TOKEN, such as:
  - name: Configure npm authentication
        run: |
          pnpm config set always-auth true
          pnpm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"

This should only be removed for npm publishing, not to github packages</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@dmattia
Copy link
Copy Markdown
Member

dmattia commented Dec 18, 2025

updated: https://www.npmjs.com/package/@transcend-io/conflux/access

@dmattia
Migrate to NPM trusted publishing with actions/setup-node@v6
517dbcb 
Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement npm trusted publishing setup Migrate to NPM trusted publishing Dec 18, 2025
Copilot AI requested a review from dmattia December 18, 2025 23:37
@dmattia dmattia marked this pull request as ready for review December 19, 2025 00:43
@dmattia dmattia merged commit 162d0d8 into main Dec 19, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelfarrell76 michaelfarrell76 michaelfarrell76 approved these changes

@dmattia dmattia Awaiting requested review from dmattia

@dipack95 dipack95 Awaiting requested review from dipack95

@htunnicliff htunnicliff Awaiting requested review from htunnicliff

@anotherminh anotherminh Awaiting requested review from anotherminh

Assignees

@dmattia dmattia

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

@copilot use npm trusted publishing

3 participants

@dmattia @michaelfarrell76