Skip to content

Update GitHub Actions workflows for npm trusted publishers #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 23, 2025
Merged

Update GitHub Actions workflows for npm trusted publishers #16

merged 2 commits into from
Oct 23, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 23, 2025
edited by cursor bot
Loading

This PR modernizes the GitHub Actions workflows to comply with the 2025 npm authentication and token management changes, which require using OIDC-based trusted publishers instead of manual token management.

Changes

Action Version Updates

  • Upgraded actions/checkout from v4 to v5
  • Upgraded actions/setup-node from v4 to v6
  • Upgraded cycjimmy/semantic-release-action from v4 to v5.0.2

Node Version Management

  • Updated node-version from hardcoded 20 to lts/* in both test and release jobs
  • This ensures the workflow automatically uses the latest LTS version without manual updates

Semantic Release Updates

  • Updated semantic_version from 17 to 25 to use the latest semantic-release

NPM Authentication

  • Removed NPM_TOKEN environment variable - no longer needed with trusted publishers
  • npm releases now authenticate via GitHub's OIDC using the existing id-token: write permission
  • Kept NPM_CONFIG_PROVENANCE: true to maintain npm provenance support

Security

The workflow already had the correct permissions configured:

  • contents: write - to publish GitHub releases
  • id-token: write - to enable OIDC for npm provenance
  • issues: write - to comment on released issues
  • pull-requests: write - to comment on released pull requests

Benefits

  • ✅ More secure - uses OIDC authentication instead of long-lived tokens
  • ✅ Less maintenance - lts/* keeps Node.js version current automatically
  • ✅ Future-proof - complies with npm's latest security requirements
  • ✅ No breaking changes - only workflow configuration updates
Original prompt

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the 2025 npm authentication and token management changes.

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

  1. Upgrade all actions/checkout steps to the latest major version (currently v5).

  2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

  3. Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use relative versions from lts. For example: [lts/-1, lts/*, latest] so we don't have to keep these versions updated in the future. If it's a single node version, then lts/* alone works.

  4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

  5. Update the semantic_version input to the current major (currently 25).

  6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

  7. Add explicit permissions to the semantic-release job:

    permissions:
  contents: write # to be able to publish a GitHub release
  id-token: write # to enable use of OIDC for npm provenance
  issues: write # to be able to comment on released issues
  pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #15

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Note

Modernizes .github/workflows/release.yml by upgrading action versions, switching Node to lts/*, updating semantic-release to v25, and removing NPM_TOKEN in favor of OIDC.

  • CI Workflow (.github/workflows/release.yml)
    • Action upgrades: actions/checkout v4->v5; actions/setup-node v4->v6; cycjimmy/semantic-release-action v4->v5.0.2.
    • Node version: set node-version to lts/* for test and release jobs.
    • Semantic Release: bump semantic_version from 17 to 25.
    • Auth: remove NPM_TOKEN; rely on OIDC with existing id-token: write and keep NPM_CONFIG_PROVENANCE: true.

Written by Cursor Bugbot for commit fba9ada. This will update automatically on new commits. Configure here.

Copilot AI changed the title [WIP] Update GitHub Actions to use trusted publishers Update GitHub Actions workflows for npm trusted publishers Oct 23, 2025
Copilot AI requested a review from kentcdodds October 23, 2025 00:06
Copilot finished work on behalf of kentcdodds October 23, 2025 00:06
@kentcdodds kentcdodds marked this pull request as ready for review October 23, 2025 00:06
@kentcdodds kentcdodds merged commit d260344 into main Oct 23, 2025
6 of 7 checks passed
@kentcdodds kentcdodds deleted the copilot/update-github-actions-workflows branch October 23, 2025 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kentcdodds kentcdodds kentcdodds approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kentcdodds kentcdodds

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update to use trusted publishers

2 participants

@kentcdodds