ci: migrate to OIDC trusted publishing#10
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: npm publish (OIDC trusted publishing) | ||
| if: steps.npmcheck.outputs.published != 'true' | ||
| run: npm publish --access public |
There was a problem hiding this comment.
The new publish workflow removes NODE_AUTH_TOKEN but the publish step now calls npm publish --access public without enabling provenance (--provenance/NPM_CONFIG_PROVENANCE) or any other authentication. npm only uses GitHub’s OIDC flow when provenance is requested; otherwise it expects an auth token and exits with EAUTH/ENEEDAUTH. On any tag push this step will fail before releasing the package, blocking trusted publishing entirely.
Useful? React with 👍 / 👎.
1 participant
CI/CDをOIDC Trusted Publishingに移行し、workflowを最小化します。\n\n- .github/workflows を ci.yml / publish.yml に整理\n- npm publish は OIDC (id-token) で実行し、NPM_TOKEN を不要に\n- squash merge 前提で PR title を Conventional 形式に検証\n