Use trusted publishing (OIDC) instead of npm token

Co-authored-by: Ona <no-reply@ona.com>
2026-03-19 19:31:17 +00:00 · 2026-02-28 01:57:57 +00:00
parent 4bd3a5f2da
commit 00a5e83e8b
1 changed files with 5 additions and 2 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
 jobs:
  publish:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@v4

@@ -18,6 +21,6 @@ jobs:

      - run: bun test

-      - run: bun publish --access public
+      - run: bun publish --access public --provenance
        env:
-          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_REGISTRY: https://registry.npmjs.org