docs(readme): switch main example to trusted publishing

mcous · mcous · commit fc80b61a8d2a · 2026-01-03T15:37:45.000-05:00
diff --git a/README.md b/README.md
@@ -39,9 +39,7 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - run: npm ci
       - run: npm test
-      - run: npm publish --provenance --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --ignore-scripts
 ```
 
 See GitHub's [Node.js publishing][] guide and npm's [trusted publishing][] docs for more details and examples.
@@ -78,7 +76,7 @@ This package can be used three different ways:
 
 ## GitHub Action
 
-To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set the `token` parameter to your [npm authentication token][].
+To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set `permissions.id-token` to `write` to enable [trusted publishing][] via OIDC.
 
 ```yaml
 on:
@@ -88,6 +86,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-node@v5
@@ -96,33 +97,29 @@ jobs:
       - run: npm ci
       - run: npm test
       - uses: JS-DevTools/npm-publish@v4
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
 ```
 
-If you have [trusted publishing][] configured for your package and use `npm@>=11.5.1`, you can omit the `token` input and use OIDC instead.
-
 > [!IMPORTANT]
-> If you're publishing a private package, you will still need to provide a read-only `token` so the action can read existing versions from the registry before publish.
-
-```diff
-  jobs:
-    publish:
-      runs-on: ubuntu-latest
-+     permissions:
-+       contents: read
-+       id-token: write  # required to use OIDC
-      steps:
-        - uses: actions/checkout@v5
-        - uses: actions/setup-node@v5
-          with:
-            node-version: "24"  # includes npm@11.6.0
-        - run: npm ci
-        - run: npm test
-        - uses: JS-DevTools/npm-publish@v4
--         with:
--           token: ${{ secrets.NPM_TOKEN }}
-```
+> If you're publishing a private package with [trusted publishing][], you will still need to provide a read-only [`token`][npm authentication token] so the action can read existing versions from the registry before publish.
+>
+> ```diff
+>   jobs:
+>     publish:
+>       runs-on: ubuntu-latest
+>       permissions:
+>         contents: read
+>     id-token: write  # required to use OIDC
+>       steps:
+>         - uses: actions/checkout@v5
+>         - uses: actions/setup-node@v5
+>           with:
+>             node-version: "24"  # includes npm@11.6.0
+>         - run: npm ci
+>         - run: npm test
+>         - uses: JS-DevTools/npm-publish@v4
+> -         with:
+> -           token: ${{ secrets.NPM_TOKEN }}
+> ```
 
 You can also publish to third-party registries. For example, to publish to the [GitHub Package Registry][], set `token` to `secrets.GITHUB_TOKEN` and `registry` to `https://npm.pkg.github.com`:
 
@@ -161,7 +158,7 @@ You can set any or all of the following input parameters using `with`:
 
 | Name             | Type                   | Default                       | Description                                                                      |
 | ---------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
-| `token`          | string                 | unspecified                   | Registry authentication token, not required if using [trusted publishing][]³     |
+| `token`          | string                 | None                          | Registry authentication token, not required if using [trusted publishing][]³     |
 | `registry`¹      | string                 | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
 | `package`        | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
 | `tag`¹           | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
@@ -187,8 +184,6 @@ npm-publish exposes several output variables, which you can use in later steps o
   steps:
     - uses: JS-DevTools/npm-publish@v4
 +     id: publish
-      with:
-        token: ${{ secrets.NPM_TOKEN }}
 
 +   - if: ${{ steps.publish.outputs.type }}
 +     run: echo "Version changed!"
@@ -237,7 +232,7 @@ import type { Options } from "@jsdevtools/npm-publish";
 
 | Name                 | Type                   | Default                       | Description                                                                      |
 | -------------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
-| `token`              | string                 | **required**                  | Registry authentication token, not required if using [trusted publishing][]³     |
+| `token`              | string                 | None                          | Registry authentication token, not required if using [trusted publishing][]³     |
 | `registry`¹          | string, `URL`          | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
 | `package`            | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
 | `tag`¹               | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
@@ -246,7 +241,7 @@ import type { Options } from "@jsdevtools/npm-publish";
 | `strategy`           | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades.    |
 | `ignoreScripts`      | boolean                | `true`                        | Run `npm publish` with the `--ignore-scripts` flag as a security precaution.     |
 | `dryRun`             | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.              |
-| `logger`             | object                 | `undefined`                   | Logging interface with `debug`, `info`, and `error` log methods.                 |
+| `logger`             | object                 | None                          | Logging interface with `debug`, `info`, and `error` log methods.                 |
 | `temporaryDirectory` | string                 | `os.tmpdir()`                 | Temporary directory to hold a generated `.npmrc` file                            |
 
 1. May be specified using `publishConfig` in `package.json`.
