@@ -9,10 +9,11 @@ name: 🚀 Release & Deployment
99# - Enable at: https://docs.npmjs.com/trusted-publishers
1010# - See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
1111#
12- # ✅ OPTION 2: Granular Access Token (with 90-day max expiration)
13- # - Create token: npm token create [--read-only]
12+ # ✅ OPTION 2: Granular Access Token (with 90-day max expiration & Bypass 2FA)
13+ # - Create token: npm token create
14+ # - Permissions: "Publish" with "Bypass 2FA for automation" ENABLED
15+ # - Max expiration: 90 days for security
1416# - Store as 'NPM_TOKEN' secret in repository settings
15- # - Recommended: Enable "Bypass 2FA" for non-interactive workflows
1617#
1718# ❌ DO NOT USE: Classic tokens (permanently revoked)
1819#
@@ -304,12 +305,6 @@ jobs:
304305 - name : 📦 Install Dependencies
305306 run : npm ci
306307
307- - name : 🧪 Final Pre-Publish Tests
308- run : |
309- echo "Running final validation before npm publish..."
310- npm test
311- npm run benchmark
312-
313308 - name : 📝 Enable NPM Provenance
314309 run : |
315310 npm pkg set publishConfig.provenance=true
@@ -328,8 +323,6 @@ jobs:
328323 fi
329324
330325 echo "🎉 Successfully published algorith@${{ needs.prepare-release.outputs.version }} to NPM!"
331- env :
332- NODE_AUTH_TOKEN : ${{ secrets.NPM_TOKEN }}
333326
334327name : 📢 Post-Publish Verification
335328 run : |
@@ -338,6 +331,12 @@ jobs:
338331 npm view algorith@${{ needs.prepare-release.outputs.version }}
339332 echo "✅ Package verified on NPM registry"
340333
334+ name : 📋 Setup for OIDC Trusted Publishing
335+ if : ${{ env.NODE_AUTH_TOKEN == '' }}
336+ run : |
337+ echo "ℹ️ OIDC Trusted Publishing is configured"
338+ echo "🔐 Token automatically injected by actions/setup-node"
339+
341340# Job 7: Post-release actions
342341 post-release :
343342 name : 🎊 Post-Release Actions
0 commit comments