From 04148f0a679c1af469ed9b13a5575d8b93555ef7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bedr=CC=8Cich=20Schindler?= Date: Sat, 20 Dec 2025 13:42:32 +0100 Subject: [PATCH 1/2] Drop access token in favor of OICD to authenticate against npm (#685) This requires to add thrust published on npmjs.com before running `publish_package_to_npm` job. `NPM_PUBLISH_TOKEN` secret can be then removed from repository settings. --- .github/workflows/release-management.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-management.yml b/.github/workflows/release-management.yml index b3534faf..962be175 100644 --- a/.github/workflows/release-management.yml +++ b/.github/workflows/release-management.yml @@ -4,6 +4,10 @@ on: push: branches: [ master ] +permissions: + contents: read + id-token: write + jobs: test_and_build: name: Test and build @@ -103,8 +107,6 @@ jobs: - name: Publish to npm run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_PUBLISH_TOKEN}} deploy_docs: name: Deploy docs From bbdc6e04efa4f604155e70693fab8139fcc449fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bedr=CC=8Cich=20Schindler?= Date: Sat, 20 Dec 2025 13:57:55 +0100 Subject: [PATCH 2/2] Generate and publish provenance statements to npm (#687) --- .github/workflows/release-management.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-management.yml b/.github/workflows/release-management.yml index 962be175..8647f3a3 100644 --- a/.github/workflows/release-management.yml +++ b/.github/workflows/release-management.yml @@ -106,7 +106,7 @@ jobs: run: npm ci - name: Publish to npm - run: npm publish + run: npm publish --provenance deploy_docs: name: Deploy docs