feat: use trusted publishing by disabling npm publish in semantic-release and publishing manually

strausr · strausr · commit e2dbe197b458 · 2026-01-26T20:06:38.000-08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -97,35 +97,34 @@ jobs:
           echo "=== Git tags ==="
           git tag
 
-      - name: Extract npm token for semantic-release
+      - name: Release with semantic-release
+        id: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release
+
+      - name: Publish to npm using trusted publishing
         run: |
-          echo "=== Extracting npm token ==="
+          echo "=== Publishing to npm with trusted publishing (OIDC) ==="
           
-          # Copy .npmrc created by setup-node
+          # Ensure .npmrc is available (setup-node should have created it)
           if [ -f "$NPM_CONFIG_USERCONFIG" ]; then
             cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc
-            echo "✓ Copied .npmrc to ~/.npmrc"
-            
-            # Extract token
-            NPM_TOKEN=$(grep '_authToken' ~/.npmrc | sed 's/.*_authToken=//' | head -1 | tr -d '\n\r\t ' || echo "")
+            echo "✓ Using .npmrc for authentication"
+          fi
+          
+          # Get version from package.json (updated by semantic-release)
+          VERSION=$(node -p "require('./package.json').version")
+          CURRENT_TAG=$(git describe --tags --exact-match 2>/dev/null || echo "")
+          
+          # Only publish if semantic-release created a new version
+          if [ -n "$CURRENT_TAG" ]; then
+            echo "New release detected: $CURRENT_TAG"
+            echo "Publishing version: $VERSION"
             
-            if [ -n "$NPM_TOKEN" ] && [ ${#NPM_TOKEN} -gt 10 ]; then
-              echo "::add-mask::$NPM_TOKEN"
-              echo "NPM_TOKEN=$NPM_TOKEN" >> $GITHUB_ENV
-              echo "✓ NPM_TOKEN extracted (length: ${#NPM_TOKEN} chars)"
-              echo ""
-              echo "Note: Token may not work for 'npm whoami' but should work for 'npm publish'"
-              echo "semantic-release will attempt to use it for publishing"
-            else
-              echo "✗ Could not extract valid token"
-              exit 1
-            fi
+            # Publish using npm publish which supports OIDC/trusted publishing
+            npm publish --provenance --access public
+            echo "✓ Published $VERSION to npm"
           else
-            echo "✗ .npmrc not found"
-            exit 1
+            echo "No new release created, skipping npm publish"
           fi
-
-      - name: Release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npx semantic-release
diff --git a/.releaserc.json b/.releaserc.json
@@ -13,9 +13,8 @@
     [
       "@semantic-release/npm",
       {
-        "npmPublish": true,
-        "registry": "https://registry.npmjs.org/",
-        "pkgRoot": "."
+        "npmPublish": false,
+        "tarballDir": "dist"
       }
     ],
     [

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,8 @@`
`13`	`13`	`[`
`14`	`14`	`"@semantic-release/npm",`
`15`	`15`	`{`
`16`		`- "npmPublish": true,`
`17`		`- "registry": "https://registry.npmjs.org/",`
`18`		`- "pkgRoot": "."`
	`16`	`+ "npmPublish": false,`
	`17`	`+ "tarballDir": "dist"`
`19`	`18`	`}`
`20`	`19`	`],`
`21`	`20`	`[`