Skip to content

Commit 720ecb9

Browse files
NathanWalkerNathanWalker
committed
chore: ci workflow with oidc
1 parent faa6762 commit 720ecb9

File tree

1 file changed

+25
-7
lines changed

1 file changed

+25
-7
lines changed

.github/workflows/npm_release.yml

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
key: ${{ hashFiles('download_llvm.sh') }}
3535
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
3636
with:
37-
node-version: 20
37+
node-version: 22
3838
registry-url: "https://registry.npmjs.org"
3939
- name: Install Python
4040
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
@@ -101,7 +101,7 @@ jobs:
101101
key: ${{ hashFiles('download_llvm.sh') }}
102102
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
103103
with:
104-
node-version: 20
104+
node-version: 22
105105
- name: Install Python
106106
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
107107
with:
@@ -150,6 +150,7 @@ jobs:
150150
path: ${{env.TEST_FOLDER}}/test_results.xcresult
151151
publish:
152152
runs-on: ubuntu-latest
153+
environment: npm-publish
153154
needs:
154155
- build
155156
- test
@@ -166,16 +167,33 @@ jobs:
166167
egress-policy: audit
167168
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
168169
with:
169-
node-version: 20
170+
node-version: 22
170171
registry-url: "https://registry.npmjs.org"
171172
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
172173
with:
173174
name: npm-package
174175
path: dist
175-
- name: Publish package
176+
- name: Update npm (required for OIDC trusted publishing)
176177
run: |
177-
echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG..."
178-
npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --provenance
178+
npm install -g npm@^11.5.1
179+
npm --version
180+
- name: Publish package (OIDC trusted publishing)
181+
if: ${{ vars.USE_NPM_TOKEN != 'true' }}
182+
run: |
183+
echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via OIDC trusted publishing..."
184+
unset NODE_AUTH_TOKEN
185+
if [ -n "${NPM_CONFIG_USERCONFIG:-}" ]; then
186+
rm -f "$NPM_CONFIG_USERCONFIG"
187+
fi
188+
npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
189+
env:
190+
NODE_AUTH_TOKEN: ""
191+
192+
- name: Publish package (granular token)
193+
if: ${{ vars.USE_NPM_TOKEN == 'true' }}
194+
run: |
195+
echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via granular token..."
196+
npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
179197
env:
180198
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
181199
github-release:
@@ -199,7 +217,7 @@ jobs:
199217
fetch-depth: 0
200218
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
201219
with:
202-
node-version: 20
220+
node-version: 22
203221
- name: Setup
204222
run: npm install
205223
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

0 commit comments

Comments
 (0)