From 6ebf59f8b56e906fb1041ecfc7d242ae0558879e Mon Sep 17 00:00:00 2001 From: olivrg Date: Sat, 20 Jun 2026 13:32:58 +0100 Subject: [PATCH] chore: switch npm release to Trusted Publishing (OIDC), matching @gethelio/proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the long-lived NPM_TOKEN (granular, bypass-2FA, @gethelio-scope) with tokenless OIDC trusted publishing, mirroring the proxy package's release.yml: - run the publish job under `environment: npm` with `id-token: write` - add "Upgrade npm for trusted publishing" (npm@latest) for OIDC support - publish via `npm publish --access public` (was `pnpm publish` + NODE_AUTH_TOKEN) - drop the NODE_AUTH_TOKEN env entirely Provenance is generated automatically by the OIDC publish. The tag↔version guard and the prepublishOnly verify gate are unchanged. Prereq before the next release: configure this repo + workflow (environment `npm`) as a Trusted Publisher on the @gethelio/helio-openclaw npm package settings. After the next release confirms OIDC works, the NPM_TOKEN secret can be deleted and the helio-openclaw-release-ci token revoked. --- .github/workflows/release.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7841057..7a578b1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,7 +2,11 @@ name: Release # Manual tag-based release. Push an annotated tag `vX.Y.Z` that matches package.json # `version`; this workflow runs the full verify gate (via prepublishOnly) and publishes -# `@gethelio/helio-openclaw` to npm with provenance. No tag → no publish. +# `@gethelio/helio-openclaw` to npm. No tag → no publish. +# +# Auth is npm Trusted Publishing (OIDC) — no stored token. The package's npm settings must list +# this repo + workflow (`release.yml`) under environment `npm` as a Trusted Publisher. Provenance +# is generated automatically by the OIDC publish. on: push: tags: ['v*'] @@ -13,13 +17,14 @@ concurrency: permissions: contents: read - id-token: write # npm provenance attestation + id-token: write # OIDC trusted publishing + provenance attestation jobs: publish: name: publish to npm runs-on: ubuntu-latest timeout-minutes: 15 + environment: npm steps: - uses: actions/checkout@v6 @@ -33,6 +38,9 @@ jobs: cache: pnpm registry-url: https://registry.npmjs.org + - name: Upgrade npm for trusted publishing + run: npm install -g npm@latest + - name: Install dependencies run: pnpm install --frozen-lockfile @@ -45,9 +53,7 @@ jobs: exit 1 fi - # prepublishOnly runs lint + typecheck + test + build before packing; publishConfig - # in package.json sets access:public and provenance:true. + # prepublishOnly runs lint + typecheck + test + build before packing; publishConfig in + # package.json sets access:public. Provenance comes from the OIDC publish. - name: Publish to npm - run: pnpm publish --no-git-checks - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --access public