chore: migrate to npm trusted publishing and GitHub App token

dividedmind · claude · dividedmind · commit 85cb7648f559 · 2026-02-26T16:23:05.000+01:00
- Replace PAT with GitHub App token (RELEASE_BOT_APP_ID/PRIVATE_KEY) in
  release job; app token events trigger other workflows unlike GITHUB_TOKEN
- Remove npm publish from semantic-release; add separate publish.yml
  workflow triggered on version tags using OIDC (no NPM_TOKEN needed)
- Drop id-token: write and write permissions from release job (governed
  by app installation, not workflow permissions block)
- Add windows-test to release job dependencies
- Remove @semantic-release/npm plugin from .releaserc.yaml

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -58,22 +58,22 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-      id-token: write
+    permissions: {}
     if: github.ref_name == 'main'
-    needs: [lint, test]
+    needs: [lint, test, windows-test]
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.SEMANTIC_RELEASE_BOT_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
       - uses: actions/setup-node@v4
       - run: yarn
-      - run: yarn prepack
       - run: yarn semantic-release
-    env:
-      NPM_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_NPM_TOKEN }}
-      GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_GITHUB_TOKEN }}
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,20 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v[0-9]*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          registry-url: 'https://registry.npmjs.org'
+      - run: yarn
+      - run: npm publish --provenance
diff --git a/.releaserc.yaml b/.releaserc.yaml
@@ -8,6 +8,5 @@ plugins:
   - "@semantic-release/commit-analyzer"
   - "@semantic-release/release-notes-generator"
   - "@semantic-release/changelog"
-  - "@semantic-release/npm"
   - "@semantic-release/git"
   - "@semantic-release/github"
