Skip to content

ci: publish to npm via trusted publishing#252

Open
christianalfoni wants to merge 1 commit into
mainfrom
trusted-publishing-npm
Open

ci: publish to npm via trusted publishing#252
christianalfoni wants to merge 1 commit into
mainfrom
trusted-publishing-npm

Conversation

@christianalfoni

Copy link
Copy Markdown
Contributor

What

Switch npm publishing from a long-lived NPM_TOKEN to Trusted Publishing (OIDC).

  • New .github/workflows/release.yml — publishes to npm via OIDC. Triggered by the release: published event, with id-token: write permission, updates npm to a version that supports trusted publishing (≥ 11.5.1), and runs npm publish with no NODE_AUTH_TOKEN.
  • release-please.yml — slimmed to only create the release PR / GitHub Release. Build + publish moved to release.yml.

Flow

  1. Push to main → Release Please opens/updates a release PR.
  2. Merge the PR → Release Please tags and publishes a GitHub Release → that release: published event triggers release.yml, which publishes to npm.

This works because Release Please creates the release with RELEASE_PLEASE_TOKEN (a PAT), so the release event can trigger downstream workflows (the default GITHUB_TOKEN would not).

Before merging

  • Confirm the npm trusted publisher is configured for workflow filename release.yml on codesandbox/codesandbox-sdk — the OIDC claim must match exactly.
  • The NPM_TOKEN secret is now unused and can be removed after a successful publish.

🤖 Generated with Claude Code

Add a release.yml workflow that publishes to npm using Trusted Publishing
(OIDC) instead of a long-lived NPM_TOKEN. It is triggered by the GitHub
Release that Release Please creates on merge.

release-please.yml now only handles release creation; the build and
publish steps move to release.yml, which is the workflow npm is
configured to trust.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@codesandbox-ci

Copy link
Copy Markdown

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants