Merge pull request #522 from web-ridge/copilot/fix-trusted-publishing-issue

RichardLindhout · web-flow · commit 063dcba7fc0b · 2026-04-04T16:01:02.000+02:00
ci: migrate npm publishing to trusted publishing (OIDC)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,6 +49,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/master'
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -60,10 +63,10 @@ jobs:
         run: |
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-      - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> .npmrc
       - run: yarn release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
   deploy-example:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/master'
