ci: use trusted publishing to publish our npm package

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-12-18 12:02:36 +01:00
parent 9442c70243
commit 2ea2c9d9ee
3 changed files with 34 additions and 45 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,9 @@
 name: publish

+permissions:
+  id-token: write  # required for OIDC
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -9,17 +13,40 @@ on:
    tags:
      - 'v*'

+env:
+  NODE_VERSION: "24" # at least Node 24 is required for Trusted Publishing with OIDC
+
 jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'yarn'
+      -
+        name: Print versions
+        run: |
+          node --version
+          npm --version
+          yarn --version
+      -
+        name: Build
+        run: |
+          yarn install
+          yarn run build
      -
        name: Publish
-        uses: docker/bake-action@v6
-        with:
-          targets: publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+        run: |
+          npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v}
+          npm publish --access public