chore(ci): use trusted publishing for npm packages

2026-01-07 22:04:10 -05:00 · 2025-10-16 10:44:11 +02:00
parent 0e1082f465
commit 23d7e0d844
1 changed files with 7 additions and 3 deletions
--- a/.github/workflows/make_release_tfhe.yml
+++ b/.github/workflows/make_release_tfhe.yml
@@ -64,7 +64,7 @@ jobs:
    # For provenance of npmjs publish
    permissions:
      contents: read
-      id-token: write # also needed for OIDC token exchange on crates.io
+      id-token: write # also needed for OIDC token exchange on crates.io and npmjs.com
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -83,11 +83,16 @@ jobs:
        run: |
          make build_web_js_api_parallel

+      - name: Authenticate on NPM
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
      - name: Publish web package
        if: ${{ inputs.push_web_package }}
        uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
        with:
-          token: ${{ secrets.NPM_TOKEN }}
          package: tfhe/pkg/package.json
          dry-run: ${{ inputs.dry_run }}
          tag: ${{ env.NPM_TAG }}
@@ -105,7 +110,6 @@ jobs:
        if: ${{ inputs.push_node_package }}
        uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
        with:
-          token: ${{ secrets.NPM_TOKEN }}
          package: tfhe/pkg/package.json
          dry-run: ${{ inputs.dry_run }}
          tag: ${{ env.NPM_TAG }}