From 6656ec53e53241aaf2c15fcc901ca09aac74ab74 Mon Sep 17 00:00:00 2001 From: Xavier Saliniere Date: Sun, 28 Dec 2025 21:06:00 -0500 Subject: [PATCH 1/4] fix(ci): make publish work with OIDC trusted publisher --- .github/workflows/publish.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5378318..11ac663 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,10 @@ on: branches: - main +permissions: + id-token: write # Required for OIDC + contents: read + jobs: release: runs-on: ubuntu-latest @@ -20,6 +24,9 @@ jobs: - name: Check version changes uses: EndBug/version-check@v2 id: check + + - name: Set up Node.js using mise + uses: jdx/mise-action@v3 - name: Create Git Tag if: steps.check.outputs.changed == 'true' @@ -42,6 +49,6 @@ jobs: - name: Publish to npm if: steps.check.outputs.changed == 'true' - run: npm publish + run: pnpm publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From b173ea64ac22902a2f0ee962c89b83ff318ccd62 Mon Sep 17 00:00:00 2001 From: Xavier Saliniere Date: Sun, 28 Dec 2025 21:06:17 -0500 Subject: [PATCH 2/4] chore(ci): bump workflows actions version --- .github/workflows/check.yml | 8 ++++---- .github/workflows/publish.yml | 4 +--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index af1ef1a..9c1c8e2 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -14,10 +14,10 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up Node.js using mise - uses: jdx/mise-action@v2 + uses: jdx/mise-action@v3 - name: Install dependencies run: pnpm install @@ -30,10 +30,10 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up Node.js using mise - uses: jdx/mise-action@v2 + uses: jdx/mise-action@v3 - name: Install dependencies run: pnpm install diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 11ac663..057abfd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 @@ -50,5 +50,3 @@ jobs: - name: Publish to npm if: steps.check.outputs.changed == 'true' run: pnpm publish - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From e6ed989697de9124ef4cf0116d0342d68d2e6e9d Mon Sep 17 00:00:00 2001 From: Xavier Saliniere Date: Sun, 28 Dec 2025 21:11:26 -0500 Subject: [PATCH 3/4] ci(publish): add install and build steps --- .github/workflows/publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 057abfd..a1f14a5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,12 @@ jobs: - name: Set up Node.js using mise uses: jdx/mise-action@v3 + + - name: Install dependencies + run: pnpm install + + - name: Build + run: pnpm build - name: Create Git Tag if: steps.check.outputs.changed == 'true' From c29a0e3d5a2eb9883eb12929508fd096c72e5d4a Mon Sep 17 00:00:00 2001 From: Xavier Saliniere Date: Sun, 28 Dec 2025 21:12:39 -0500 Subject: [PATCH 4/4] ci(publish): add missing pnpm publish provenance flag --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a1f14a5..885928d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -55,4 +55,4 @@ jobs: - name: Publish to npm if: steps.check.outputs.changed == 'true' - run: pnpm publish + run: pnpm publish --provenance