From 2c80fe4d635362927a48107dd544d731d305d1ab Mon Sep 17 00:00:00 2001 From: Paul Carleton Date: Wed, 28 Jan 2026 15:17:50 +0000 Subject: [PATCH] ci: migrate to OIDC trusted publishing, add workflow_dispatch for prerelease testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove NPM_TOKEN / NODE_AUTH_TOKEN — publish now uses OIDC trusted publishing (no secrets needed) - Add workflow_dispatch trigger with prerelease checkbox: publishes to alpha dist-tag so we can verify OIDC works without touching latest - Drop --provenance flag (included automatically with trusted publishing) The release event path still publishes to latest as before; the only change is the auth mechanism. To test: bump version to x.y.z-alpha.0 on a branch, then run workflow with prerelease checked. --- .github/workflows/ci.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8f4711..7401cfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,12 @@ on: pull_request: release: types: [published] + workflow_dispatch: + inputs: + prerelease: + description: 'Publish as prerelease (alpha tag). Version must already be bumped in package.json on the branch.' + type: boolean + default: false permissions: contents: read @@ -31,7 +37,7 @@ jobs: publish: runs-on: ubuntu-latest - if: github.event_name == 'release' + if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.prerelease == 'true') environment: release needs: [test] @@ -48,6 +54,11 @@ jobs: registry-url: 'https://registry.npmjs.org' - run: npm ci - - run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Publish to npm + run: | + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + npm publish --access public --tag alpha + else + npm publish --access public + fi