Use NPM Trusted Publishers over token (#2239)

* Use NPM Trusted Publishers over token due to security changes being enacted next month by npm * Add changelog entry * Update npm
1 month ago · e2b2e56bd2
parent 967b54195c
commit e2b2e56bd2
2 changed files with 9 additions and 7 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -12,6 +12,9 @@ jobs:
    defaults:
      run:
        working-directory: packages/npm
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - name: 🧮 Checkout code
        uses: actions/checkout@v4
@ -23,6 +26,10 @@ jobs:
          cache-dependency-path: packages/npm/yarn.lock
          registry-url: "https://registry.npmjs.org"

+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+
      - name: 🔨 Install dependencies
        run: "yarn install --frozen-lockfile"

@ -33,10 +40,4 @@ jobs:
          VERSION: ${{ github.event.release.tag_name }}.0

      - name: 🚀 Publish to npm
-        id: npm-publish
-        uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
-          package: packages/npm
-          access: public
-          ignore-scripts: false
+        run: npm publish --provenance --access public --tag latest
--- a/changelogs/internal/newsfragments/2239.clarification
+++ b/changelogs/internal/newsfragments/2239.clarification
@ -0,0 +1 @@
+Use NPM Trusted Publishers for publishing `@matrix-org/spec` to npm.
				`@ -0,0 +1 @@`
				Use NPM Trusted Publishers for publishing `@matrix-org/spec` to npm.