Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ jobs:
publish_template:
runs-on: ubuntu-latest
environment: npm-publish
permissions:
# Required for npm trusted publishing (OIDC token exchange with the registry)
id-token: write
# Required so the bump commit & tag can be pushed back to the branch
contents: write
steps:
- name: Safeguard against branch name
run: |
Expand All @@ -31,10 +36,18 @@ jobs:
- name: Checkout
uses: actions/checkout@v4.1.1
- name: Setup node.js
uses: actions/setup-node@v4.0.0
# setup-node@v6 supports npm trusted publishing (OIDC): with `registry-url`
# set and no token provided, it configures the registry without writing a
# bogus NODE_AUTH_TOKEN placeholder, so `npm publish` performs the OIDC
# token exchange. Older versions (e.g. v4) wrote a placeholder token that
# made npm attempt token auth instead, failing with E404/ENEEDAUTH.
uses: actions/setup-node@v6
with:
node-version: 'lts/*'
registry-url: 'https://registry.npmjs.org'
# Never cache dependencies in a publishing workflow: a poisoned cache
# could expose the short-lived OIDC token.
package-manager-cache: false
- name: Determine new template version
run: echo "VERSION=$(./scripts/bumpedTemplateVersion.sh ${{ inputs.version }})" >> $GITHUB_ENV
- name: Update versions to input one
Expand Down
Loading