Skip to content

change publish workflow to trusted publishing #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
omer-topal merged 1 commit into from
Jun 12, 2026
Merged

change publish workflow to trusted publishing #437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types:
- "published"

permissions:
contents: read
id-token: write

jobs:
publish:
name: Publish to NPM
Expand All @@ -19,10 +23,12 @@ jobs:

- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
cache-dependency-path: ./yarn.lock
cache: "yarn"
node-version: 20
node-version: 22.14.0
registry-url: "https://registry.npmjs.org"
package-manager-cache: false

- name: Install npm with trusted publishing support
run: npm install --global npm@^11.5.1

- name: Install dependencies
run: yarn install --frozen-lockfile --non-interactive
Expand All @@ -43,5 +49,3 @@ jobs:

- name: Publish to NPM
run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
26 changes: 15 additions & 11 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,14 +86,18 @@ yarn buf:generate

## Configuration

### Required Secrets
### Trusted Publisher

Set in GitHub repository settings:
Publishing uses npm trusted publishing, so no long-lived npm publish token is required.

- **NPM_TOKEN**: Authentication token for publishing to NPM
- Create at [npmjs.com](https://www.npmjs.com/) → Access Tokens
- Type: **Automation**
- Permission: **Read and Write**
Configure the trusted publisher in the npm package settings:

- **Publisher**: GitHub Actions
- **Organization or user**: `Permify`
- **Repository**: `permify-node`
- **Workflow filename**: `publish.yml`
- **Allowed actions**: `npm publish`
- **Environment name**: leave empty unless `.github/workflows/publish.yml` is updated to use a matching GitHub environment

## Workflows

Expand All @@ -103,11 +107,11 @@ Set in GitHub repository settings:

**Steps**:
1. Checkout code
2. Setup Node.js 20
2. Setup Node.js with npm trusted publishing support
3. Install dependencies
4. Build (`yarn build`)
5. Update version
6. Publish to NPM
6. Publish to NPM using GitHub OIDC

### 2. Proto Update Workflow (`.github/workflows/protos.yml`)

Expand All @@ -129,7 +133,8 @@ yarn build

### Publish Failed

- Check if `NPM_TOKEN` is valid
- Verify the npm trusted publisher settings match `Permify/permify-node` and `publish.yml`
- Check that the workflow has `id-token: write` permission
- Verify version doesn't already exist on NPM
- Check [Actions logs](https://github.com/Permify/permify-node/actions)

Expand Down Expand Up @@ -159,11 +164,10 @@ Before releasing:
- [ ] Version number follows semantic versioning
- [ ] Release notes prepared
- [ ] Breaking changes documented (if any)
- [ ] NPM_TOKEN is valid
- [ ] npm trusted publisher is configured for `.github/workflows/publish.yml`

## Links

- [NPM Package](https://www.npmjs.com/package/@permify/permify-node)
- [GitHub Repository](https://github.com/Permify/permify-node)
- [Buf Schema Registry](https://buf.build/permifyco/permify)

Loading