ci: migrate npm publish to OIDC trusted publishing#84
Open
chcmedeiros wants to merge 2 commits into
Open
Conversation
Replace the token-based publish workflow with the reusable _publish-npm.yaml@v7 (OIDC trusted publishing, no NPM_TOKEN). Add .mise.toml so the reusable workflow installs deps via `ci_postinstall` (bun) and builds with `bun run` (ci_detect_pm) instead of the `bun build` bundler. @v7 (mise-action v3) is used rather than @v9, whose mise-action v4 bump leaves the publish step on npm 10.x (too old for OIDC, needs >= 11.5.1).
chcmedeiros
force-pushed
the
chore/oidc-publish
branch
from
8b27f79 to
06061c1
Compare
- @ledgerhq/hw-transport 6.31.9 -> 6.35.4 (#83) - @types/node ^24.3.0 -> ^25.9.3 (#80) typescript 6 (#81) and eslint 10 (#82) are left out: both need dedicated migration (TS6 fails the build on rootDir/moduleResolution; eslint 10 conflicts with eslint-config-love's peer range). @types/jest (#79) is already at 30.0.0 on main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replace the token-based publish workflow with the reusable
_publish-npm.yaml@v7(OIDC trusted publishing — noNPM_TOKEN). Add.mise.toml.Details
ci_postinstalltask —.mise.tomldefines it asbun install --frozen-lockfile.ci_detect_pmforcespm=bun runso the build step runsbun run build(the package's tsc build) instead ofbun build, which is Bun's bundler and would error.@v7(mise-action v3).@v9's mise-action v4 bump leaves the publish step on the mise node's bundled npm 10.9.8 — too old for OIDC trusted publishing (needs ≥ 11.5.1) — which 404s the publish.Verification
On
push/pull_requestthe workflow runs dry-run (install + build +npm pack --dry-run), so this PR's checks validate the pipeline without publishing.