Update to use Node OIDC Token

rwinch · rwinch · commit 4b7c20a037d3 · 2026-03-16T09:01:12.000-05:00
This uses the OIDC GitHub token for publishing to the NPM Registry See https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       release-version:
         description: Enter version to release (e.g., 1.0.1).
         required: false
+permissions:
+  # Required for OIDC. See https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
+  id-token: write
+  contents: write
 jobs:
   perform:
     if: github.event_name == 'workflow_dispatch' && github.repository_owner == 'spring-io'
@@ -14,13 +18,13 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
     - name: Install Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: '16'
+        registry-url: 'https://registry.npmjs.org'
         cache: 'npm'
     - name: Set up release environment
       run: |
         echo RELEASE_VERSION=${{ github.event.inputs.release-version }} >> $GITHUB_ENV
-        echo RELEASE_NPM_TOKEN=${{ secrets.NPM_TOKEN }} >> $GITHUB_ENV
     - name: Build, tag, and publish npm package
       run: ./npm/release.sh
diff --git a/npm/release.sh b/npm/release.sh
@@ -5,13 +5,6 @@
 if [ ! -v RELEASE_USER ]; then
   export RELEASE_USER=$GITHUB_ACTOR
 fi
-#if [ ! -v RELEASE_NPM_TOKEN ]; then
-#  declare -n RELEASE_NPM_TOKEN="RELEASE_NPM_TOKEN_$RELEASE_USER"
-#fi
-if [ -z "$RELEASE_NPM_TOKEN" ]; then
-  echo No npm token specified for publishing to npmjs.com. Stopping release.
-  exit 1
-fi
 export RELEASE_BRANCH=${GITHUB_REF_NAME:-main}
 RELEASE_GIT_NAME=$(curl -s https://api.github.com/users/$RELEASE_USER | jq -r .name)
 RELEASE_GIT_EMAIL=$RELEASE_USER@users.noreply.github.com
@@ -34,9 +27,6 @@ fi
 git config --local user.name "$RELEASE_GIT_NAME"
 git config --local user.email "$RELEASE_GIT_EMAIL"
 
-# configure npm client for publishing
-echo -e "//registry.npmjs.org/:_authToken=$RELEASE_NPM_TOKEN" > $HOME/.npmrc
-
 # release!
 (
   set -e
@@ -54,9 +44,6 @@ echo -e "//registry.npmjs.org/:_authToken=$RELEASE_NPM_TOKEN" > $HOME/.npmrc
 
 exit_code=$?
 
-# nuke npm settings
-rm -f $HOME/.npmrc
-
 # check for any uncommitted files
 git status -s -b
 
