Merge pull request #3 from stainless-sdks/sam/npm-trusted-publisher

npm: publish with trusted publisher

Author: easyCZ

.github/workflows/publish-npm.yml

@@ -12,14 +12,18 @@ jobs:
   publish:
     name: publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: |
@@ -28,5 +32,3 @@ jobs:
       - name: Publish to NPM
         run: |
           bash ./bin/publish-npm
-        env:
-          NPM_TOKEN: ${{ secrets.GITPOD_NPM_TOKEN || secrets.NPM_TOKEN }}

bin/check-release-environment

@@ -2,9 +2,11 @@
 
 errors=()
 
-if [ -z "${NPM_TOKEN}" ]; then
-  errors+=("The NPM_TOKEN secret has not been set. Please set it in either this repository's secrets or your organization secrets")
-fi
+# Note: unnecessary for npm trusted publishers (i.e. OIDC)
+#
+# if [ -z "${NPM_TOKEN}" ]; then
+#   errors+=("The GITPOD_NPM_TOKEN secret has not been set. Please set it in either this repository's secrets or your organization secrets")
+# fi
 
 lenErrors=${#errors[@]}
 

bin/publish-npm

@@ -2,8 +2,6 @@
 
 set -eux
 
-npm config set '//registry.npmjs.org/:_authToken' "$NPM_TOKEN"
-
 yarn build
 cd dist