From e2b2e56bd25757688415a8c4a593efa0b7aa2b27 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 29 Oct 2025 17:44:58 +0000 Subject: [PATCH] Use NPM Trusted Publishers over token (#2239) * Use NPM Trusted Publishers over token due to security changes being enacted next month by npm * Add changelog entry * Update npm --- .github/workflows/release.yaml | 15 ++++++++------- .../internal/newsfragments/2239.clarification | 1 + 2 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 changelogs/internal/newsfragments/2239.clarification diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a53fe59a..f47b045e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,6 +12,9 @@ jobs: defaults: run: working-directory: packages/npm + permissions: + contents: read + id-token: write steps: - name: 🧮 Checkout code uses: actions/checkout@v4 @@ -23,6 +26,10 @@ jobs: cache-dependency-path: packages/npm/yarn.lock registry-url: "https://registry.npmjs.org" + # Ensure npm 11.5.1 or later is installed + - name: Update npm + run: npm install -g npm@latest + - name: 🔨 Install dependencies run: "yarn install --frozen-lockfile" @@ -33,10 +40,4 @@ jobs: VERSION: ${{ github.event.release.tag_name }}.0 - name: 🚀 Publish to npm - id: npm-publish - uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1 - with: - token: ${{ secrets.NPM_TOKEN }} - package: packages/npm - access: public - ignore-scripts: false + run: npm publish --provenance --access public --tag latest diff --git a/changelogs/internal/newsfragments/2239.clarification b/changelogs/internal/newsfragments/2239.clarification new file mode 100644 index 00000000..6b8cf712 --- /dev/null +++ b/changelogs/internal/newsfragments/2239.clarification @@ -0,0 +1 @@ +Use NPM Trusted Publishers for publishing `@matrix-org/spec` to npm. \ No newline at end of file