Skip to content

Migrate npm publishing to trusted publishers with yarn 4 and Node 22#109

Merged
dmattia merged 13 commits intomainfrom
copilot/update-npm-trusted-publishing
Dec 22, 2025
Merged

Migrate npm publishing to trusted publishers with yarn 4 and Node 22#109
dmattia merged 13 commits intomainfrom
copilot/update-npm-trusted-publishing

Conversation

Copy link
Contributor

Copilot AI commented Dec 18, 2025
edited
Loading

  • Update all actions/setup-node to v6
  • Add npm 11.5.1 installation step after setup-node in build-to-npm job
  • Add permissions (id-token: write, contents: read, packages: write) to workflow
  • Remove NPM_TOKEN authentication from build-to-npm job (keep for build-to-github-packages)
  • Set NODE_AUTH_TOKEN="" when publishing to npm (removed per code review)
  • Bump version in typescript/package.json from 1.4.2 to 1.4.3
  • Verify workflow syntax is correct
  • Add registry-url to setup-node for proper npm configuration
  • Address code review feedback
  • Run pre-commit hooks (doctoc updated python/README.md TOC)
  • Fix pre-commit action version to v3.0.0
  • Update to yarn 4.12.0 and Node.js 22.x across all CI jobs
  • Add --provenance flag to npm publish for package attestation
Original prompt

This section details on the original issue you should resolve

<issue_title>@copilot use npm trusted publishing</issue_title>
<issue_description>- make sure we use actions/setup-node@v6, not older versions

  • after calling setup-node, run this code:
    # See: https://docs.npmjs.com/trusted-publishers
    # See: https://github.com/actions/setup-node/issues/1445
    - name: Set npm to version that supports trusted publishers
      run: npm install -g npm@11.5.1
      shell: bash
  • set permissions on the github workflow to:
permissions:
  id-token: write
  contents: read
  packages: write
  • when calling pnpm publish to npm, set NODE_AUTH_TOKEN=""
  • bump the version in package.json
  • remove npm authentication using NPM_TOKEN, such as:
  - name: Configure npm authentication
        run: |
          pnpm config set always-auth true
          pnpm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"

This should only be removed for npm publishing, not to github packages</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@dmattia
Copy link
Member

dmattia commented Dec 18, 2025

updated: https://www.npmjs.com/package/@transcend-io/typescript-webhook-example/access

Copilot AI and others added 2 commits December 18, 2025 23:57
@dmattia
Implement npm trusted publishing support
4443491 
- Update all actions/setup-node to v6
- Add npm 11.5.1 installation for trusted publishers support
- Add workflow permissions (id-token: write, contents: read, packages: write)
- Remove NPM_TOKEN authentication from npm publishing (use trusted publishing)
- Set NODE_AUTH_TOKEN="" for npm publish
- Bump typescript package version from 1.4.2 to 1.4.3
- Keep NPM_TOKEN for GitHub packages publishing

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
@dmattia
Address code review feedback
9edec05 
- Add registry-url to setup-node for npm trusted publishing
- Remove unnecessary NODE_AUTH_TOKEN environment variable

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copilot AI changed the title [WIP] Update workflow for npm trusted publishing Migrate npm publishing to trusted publishers Dec 18, 2025
Copilot AI requested a review from dmattia December 19, 2025 00:00
@dmattia
Copy link
Member

dmattia commented Dec 19, 2025

@copilot run pre-commit run -a

@dmattia
Run pre-commit hooks: update table of contents in python/README.md
c081f4d 
Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 19, 2025

@copilot run pre-commit run -a

Ran pre-commit hooks successfully. The doctoc hook updated the table of contents in python/README.md (commit c081f4d).

Note: The eslint hook failed due to a pre-existing Node.js v20/PnP loader compatibility issue (ERR_LOADER_CHAIN_INCOMPLETE), which is unrelated to the changes in this PR.

@dmattia
Copy link
Member

dmattia commented Dec 19, 2025

@copilot Fix the error in https://github.com/transcend-io/examples/actions/runs/20355500697/job/58492261196?pr=109

I think bumping a version in the github workflow should work for the pre-commit action

@dmattia
Bump pre-commit action from v2.0.2 to v4.0.0
ec8601d 
Fixes GitHub Actions cache service errors in the run-pre-commits job

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 19, 2025

@copilot Fix the error in https://github.com/transcend-io/examples/actions/runs/20355500697/job/58492261196?pr=109

I think bumping a version in the github workflow should work for the pre-commit ac...

Fixed by upgrading pre-commit action from v2.0.2 to v4.0.0 (commit ec8601d). This should resolve the GitHub Actions cache service errors.

@dmattia
Copy link
Member

dmattia commented Dec 20, 2025

@copilot I see Current runner version: '2.330.0'
Runner Image Provisioner
Operating System
Runner Image
GITHUB_TOKEN Permissions
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Error: Unable to resolve action pre-commit/action@v4.0.0, unable to find version v4.0.0

Use v3.0.0

@dmattia dmattia marked this pull request as ready for review December 20, 2025 20:08
@dmattia
Fix pre-commit action version to v3.0.0
713e047 
v4.0.0 doesn't exist, using v3.0.0 instead

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 20, 2025

@copilot I see Current runner version: '2.330.0'
Runner Image Provisioner
Operating System
...

Fixed in commit 713e047. Changed pre-commit action version from v4.0.0 to v3.0.0.

@dmattia
Copy link
Member

dmattia commented Dec 20, 2025

@copilot run yarn set version 4.12.0, then add --provenance to yarn npm publish to npm (but not to github) and update CI to use node 22

@dmattia
Update to yarn 4.12.0, Node 22, and add provenance to npm publish
c52484d 
- Run yarn set version 4.12.0
- Update all CI jobs to use Node.js 22.x instead of 14.x
- Add --provenance flag to npm publish for attestation
- GitHub packages publish remains without provenance flag

Co-authored-by: dmattia <8922077+dmattia@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 20, 2025

@copilot run yarn set version 4.12.0, then add --provenance to yarn npm publish to npm (but not to github) and update CI to use node 22

Completed in commit c52484d:

  • Updated yarn to version 4.12.0
  • Changed all CI jobs to use Node.js 22.x
  • Added --provenance flag to npm publish (not to GitHub packages)

Copilot AI changed the title Migrate npm publishing to trusted publishers Migrate npm publishing to trusted publishers with yarn 4 and Node 22 Dec 20, 2025
@dmattia dmattia merged commit 97aa385 into main Dec 22, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmattia dmattia Awaiting requested review from dmattia

Assignees

@dmattia dmattia

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

@copilot use npm trusted publishing

2 participants

@dmattia