From f602d6c9d03f361f491be4d55b2e1293d2768d71 Mon Sep 17 00:00:00 2001 From: Marshall Asch Date: Mon, 1 Dec 2025 16:05:55 -0500 Subject: [PATCH] feat: switch to publish packages using trusted publishers instead of tokens --- .github/actions/setup/action.yml | 31 -------------------------- .github/workflows/deploy-storybook.yml | 17 +++++++++++--- .github/workflows/release-packages.yml | 18 ++++++++++++--- 3 files changed, 29 insertions(+), 37 deletions(-) delete mode 100644 .github/actions/setup/action.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml deleted file mode 100644 index 676544f..0000000 --- a/.github/actions/setup/action.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: 'Setup Workspace' -description: 'Checkout code, setup Node.js with pnpm, and install dependencies' - -inputs: - npm-token: - description: 'NPM token for authentication' - required: false - -runs: - using: 'composite' - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - persist-credentials: false - - - uses: pnpm/action-setup@v4 - - - uses: actions/setup-node@v4 - env: - NODE_AUTH_TOKEN: ${{ inputs.npm-token }} - with: - node-version-file: package.json - cache: "pnpm" - always-auth: "true" - scope: "@plextv" - registry-url: "https://registry.npmjs.org" - - - name: Install dependencies - run: pnpm install --frozen-lockfile - shell: bash diff --git a/.github/workflows/deploy-storybook.yml b/.github/workflows/deploy-storybook.yml index 5580fa5..30739e1 100644 --- a/.github/workflows/deploy-storybook.yml +++ b/.github/workflows/deploy-storybook.yml @@ -10,6 +10,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref }} permissions: pages: write # to deploy to Pages + contents: read id-token: write jobs: @@ -23,10 +24,20 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - - name: Setup workspace - uses: plexinc/react-lightning/.github/actions/setup@main + - uses: actions/checkout@v4 with: - npm-token: ${{ secrets.NPM_TOKEN }} + fetch-depth: 0 + persist-credentials: false + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "pnpm" + + - name: Install dependencies + run: pnpm install --frozen-lockfile - name: Build Storybook run: pnpm run build:storybook diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 3bab16f..001055f 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -11,6 +11,7 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} permissions: + contents: read id-token: write jobs: @@ -23,10 +24,21 @@ jobs: published: ${{ steps.changesets.outputs.published }} steps: - - name: Setup workspace - uses: plexinc/react-lightning/.github/actions/setup@main + - uses: actions/checkout@v4 with: - npm-token: ${{ secrets.NPM_TOKEN }} + fetch-depth: 0 + persist-credentials: false + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "pnpm" + + - name: Install dependencies + run: pnpm install --frozen-lockfile + shell: bash - name: Create release pull request or publish id: changesets