chore: CI: publish to npm using OIDC tokens (#36)

derhuerst · web-flow · commit d0120439e645 · 2025-10-22T20:44:53.000+02:00
see also https://docs.npmjs.com/trusted-publishers
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  id-token: write # for OIDC-based publishing to npm
+
 jobs:
   build-and-push-docker:
     runs-on: ubuntu-latest
@@ -53,7 +56,9 @@ jobs:
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'
+      # for OIDC-based publishing to npm
+      - name: setup npm v11
+        run: npm install -g npm@11
+
       - run: npm ci
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}      
