ci: Update release workflow for npm OIDC authentication and bump up node version #273
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request updates the npm publishing workflow to use OIDC (OpenID Connect) authentication instead of token-based authentication, and upgrades Node.js to version 24 across all CI workflows.
Changes:
- Migrated npm publishing from token-based authentication to OIDC trusted publishing
- Upgraded Node.js from version 18 to version 24 across all GitHub Actions workflows
- Added npm provenance configuration to package.json
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| release.sh | Simplified script to use OIDC authentication, removing manual NPM_TOKEN handling |
| package.json | Added publishConfig section with provenance settings for npm trusted publishing |
| .github/workflows/release.yml | Added OIDC permissions, registry-url configuration, and Node.js 24 upgrade |
| .github/workflows/pull-request.yml | Updated Node.js version from 18 to 24 across all jobs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "access": "public", | ||
| "provenance": true, | ||
| "registry": "https://registry.npmjs.org" |
There was a problem hiding this comment.
The indentation in the publishConfig section uses 8 spaces instead of 2 spaces, which is inconsistent with the rest of the package.json file. This should be corrected to maintain consistent formatting.
| "access": "public", | |
| "provenance": true, | |
| "registry": "https://registry.npmjs.org" | |
| "access": "public", | |
| "provenance": true, | |
| "registry": "https://registry.npmjs.org" |
|
|
||
| - name: Install node modules | ||
| run: yarn install | ||
|
|
There was a problem hiding this comment.
Trailing whitespace on line 68 should be removed for cleaner formatting.
| ], | ||
| "publishConfig": { | ||
| "access": "public", | ||
| "provenance": true, |
There was a problem hiding this comment.
The 'provenance' field is redundant in publishConfig since it's already specified as a CLI flag '--provenance' in release.sh. While both are valid, having it in only one location would be clearer. Consider removing it from either package.json or the CLI command.
| "provenance": true, |
| touch .npmrc; | ||
| echo "//registry.npmjs.org/:_authToken=$1" > .npmrc; | ||
| npm publish; | ||
| npm publish --provenance --access public |
There was a problem hiding this comment.
The '--access public' flag is redundant since it's already specified in package.json publishConfig. While both are valid, having it in only one location would be clearer. Consider removing it from the CLI command.
| npm publish --provenance --access public | |
| npm publish --provenance |
Summary
LTS24.xTesting Plan
{explain how this has been tested, and what additional testing should be done}
Master Issue
Closes https://go/j/SDKE-683