Skip to content

chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows#30787

Merged
gnbm merged 2 commits intomainfrom
gm/release-action-fix1
Nov 17, 2025
Merged

chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows#30787
gnbm merged 2 commits intomainfrom
gm/release-action-fix1

Conversation

@gnbm
Copy link
Contributor

@gnbm gnbm commented Nov 17, 2025

Issue number: resolves #

What is the current behavior?

  • Publishing to npm is failing due to the changes to move to Trusted Publishers, since it seems that they still don't support reusable workflows, as mentioned here
  • The action to which we grant permissions on npm needs to follow a strict path location .github/workflows/ in your repository.

What is the new behavior?

  • Fixed permissions mismatch by applying the orchestrator method for npm publish:
    release-orchestrator.yml (contents: read, id-token: write)

    ├─→ nightly.yml (contents: read, id-token: write)
    │ └─→ release-ionic.yml (contents: read, id-token: write)
    │ └─→ publish-npm.yml (contents: read, id-token: write) ✅

    ├─→ dev-build.yml (contents: read, id-token: write)
    │ └─→ release-ionic.yml (contents: read, id-token: write)
    │ └─→ publish-npm.yml (contents: read, id-token: write) ✅

    └─→ release.yml (contents: read, id-token: write)
    └─→ release-ionic.yml (contents: read, id-token: write)
    └─→ publish-npm.yml (contents: read, id-token: write) ✅

  • release-orchestrator.yml calls three workflows: nightly.yml, dev-build.yml, and release.yml.

  • All three call release-ionic.yml, which handles publishing multiple packages.

  • release-ionic.yml calls publish-npm.yml multiple times (once per package).

  • All workflows have contents: read and id-token: write permissions.

  • publish-npm.yml is in .github/workflows/, which satisfies npm Trusted Publishers requirements.

  • This shows that publish-npm.yml is reachable through all three release paths, and moving it to .github/workflows/ ensures npm Trusted Publishers can authenticate it correctly.

Does this introduce a breaking change?

  • Yes
  • No
  • Run pipelines after merge

Other information

  • The workflow release-orchestrator.yml needs to be the one set up in the npm package settings for the Trusted Publishers

@vercel
Copy link

vercel bot commented Nov 17, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
ionic-framework Ready Ready Preview Comment Nov 17, 2025 5:05pm

@gnbm gnbm changed the title bug(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows fix(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm changed the title fix(npm): Attempt to fix issue with Trusted Publishers when using reusable workflows fix(npm): attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm marked this pull request as ready for review November 17, 2025 17:11
@gnbm gnbm requested a review from a team as a code owner November 17, 2025 17:11
@gnbm gnbm requested a review from thetaPC November 17, 2025 17:11
@gnbm gnbm enabled auto-merge November 17, 2025 17:21
@gnbm gnbm requested review from OS-jacobbell and ShaneK November 17, 2025 17:22
@gnbm gnbm disabled auto-merge November 17, 2025 17:27
@ShaneK ShaneK changed the title fix(npm): attempt to fix issue with Trusted Publishers when using reusable workflows chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows Nov 17, 2025
@gnbm gnbm added this pull request to the merge queue Nov 17, 2025
Merged via the queue into main with commit ecc2911 Nov 17, 2025
52 of 54 checks passed
@gnbm gnbm deleted the gm/release-action-fix1 branch November 17, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShaneK ShaneK ShaneK approved these changes

@OS-jacobbell OS-jacobbell OS-jacobbell approved these changes

@thetaPC thetaPC Awaiting requested review from thetaPC thetaPC is a code owner automatically assigned from ionic-team/framework

Assignees

No one assigned

Labels

github_actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gnbm @ShaneK @OS-jacobbell