From 3caa97aeca24b2e2c9ca1c484211d2a55e23a3ec Mon Sep 17 00:00:00 2001 From: acalcutt Date: Fri, 12 Dec 2025 11:59:50 -0500 Subject: [PATCH 1/5] migrate workflow to use npm trusted publishing --- .github/workflows/release.yml | 19 +++++++------------ package.json | 2 +- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a606218d..1179c430 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,9 @@ name: release +permissions: + id-token: write # Required for NPM trusted publishing + contents: write + on: push: branches: [master] @@ -36,8 +40,6 @@ jobs: needs: release-check if: ${{ needs.release-check.outputs.published == 'false' }} runs-on: ubuntu-latest - permissions: - contents: write defaults: run: shell: bash @@ -48,6 +50,7 @@ jobs: - uses: actions/setup-node@v6 with: node-version: 22 + registry-url: 'https://registry.npmjs.org' - run: npm ci @@ -90,16 +93,8 @@ jobs: - name: Publish to NPM (release) if: ${{ steps.prepare_release.outputs.prerelease == 'false' }} - run: | - npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}" - npm publish --access public - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --access public - name: Publish to NPM (prerelease) if: ${{ steps.prepare_release.outputs.prerelease == 'true' }} - run: | - npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}" - npm publish --tag next --access public - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + run: npm publish --tag next --access public diff --git a/package.json b/package.json index e1b9e6cd..ec75a6e5 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "author": "Dane Springmeyer ", "repository": { "type": "git", - "url": "git://github.com/mapbox/node-pre-gyp.git" + "url": "https://github.com/mapbox/node-pre-gyp" }, "bin": "./bin/node-pre-gyp", "main": "./lib/node-pre-gyp.js", From 27aa09b4bc328af2dd0423e9253f0af978bca290 Mon Sep 17 00:00:00 2001 From: acalcutt Date: Fri, 12 Dec 2025 13:02:02 -0500 Subject: [PATCH 2/5] read package name from pavkage.json, use node 24 --- .github/workflows/release.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1179c430..12672a6f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,8 +26,9 @@ jobs: - name: Check if version is published id: check run: | + packageName="$( node -e "console.log(require('./package.json').name)" )" currentVersion="$( node -e "console.log(require('./package.json').version)" )" - isPublished="$( npm view @mapbox/node-pre-gyp versions --json | jq -c --arg cv "$currentVersion" 'any(. == $cv)' )" + isPublished="$( npm view $packageName versions --json | jq -c --arg cv "$currentVersion" 'any(. == $cv)' )" echo "version=$currentVersion" >> "$GITHUB_OUTPUT" echo "published=$isPublished" >> "$GITHUB_OUTPUT" echo "currentVersion: $currentVersion" @@ -40,6 +41,9 @@ jobs: needs: release-check if: ${{ needs.release-check.outputs.published == 'false' }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # Enables OIDC token generation defaults: run: shell: bash @@ -49,7 +53,7 @@ jobs: - uses: actions/setup-node@v6 with: - node-version: 22 + node-version: 24 registry-url: 'https://registry.npmjs.org' - run: npm ci @@ -63,7 +67,7 @@ jobs: - run: npm run build --if-present - run: npm test - + - name: Prepare release changelog id: prepare_release run: | @@ -98,3 +102,4 @@ jobs: - name: Publish to NPM (prerelease) if: ${{ steps.prepare_release.outputs.prerelease == 'true' }} run: npm publish --tag next --access public + From 176ca8a3126196ae72312f924f972fefd3cceb71 Mon Sep 17 00:00:00 2001 From: acalcutt Date: Fri, 12 Dec 2025 13:13:30 -0500 Subject: [PATCH 3/5] put back contents: write to fix git release publish --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 12672a6f..6ec8acb4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,7 +42,7 @@ jobs: if: ${{ needs.release-check.outputs.published == 'false' }} runs-on: ubuntu-latest permissions: - contents: read + contents: write # allow github publish action id-token: write # Enables OIDC token generation defaults: run: From 88050a648f2e2c82f96dc760ca1f1d4f447d246a Mon Sep 17 00:00:00 2001 From: acalcutt Date: Fri, 12 Dec 2025 13:16:28 -0500 Subject: [PATCH 4/5] Update release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6ec8acb4..bfc9a65f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,7 +67,7 @@ jobs: - run: npm run build --if-present - run: npm test - + - name: Prepare release changelog id: prepare_release run: | From 8c1e4a4fd699ab09a8af780404de5a843c35ae46 Mon Sep 17 00:00:00 2001 From: acalcutt Date: Fri, 12 Dec 2025 16:57:54 -0500 Subject: [PATCH 5/5] use only global permissions --- .github/workflows/release.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bfc9a65f..129c7fe9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,9 +41,6 @@ jobs: needs: release-check if: ${{ needs.release-check.outputs.published == 'false' }} runs-on: ubuntu-latest - permissions: - contents: write # allow github publish action - id-token: write # Enables OIDC token generation defaults: run: shell: bash