From 3764e8a069b3d3d5bf045bd952b7862d302d4a22 Mon Sep 17 00:00:00 2001 From: Chris Hagglund Date: Mon, 29 Jun 2026 13:14:56 -0600 Subject: [PATCH 1/2] test oidc trusted publishing --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 896a914b..910a948a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,7 @@ on: permissions: contents: read + id-token: write jobs: build-package-and-publish-release: @@ -17,16 +18,15 @@ jobs: uses: actions/setup-node@v4 with: node-version: "22" - registry-url: "https://registry.npmjs.org" - name: Bump version to release run: sed -i "s/v0.0.0/$RELEASE_VERSION/" ./package.json env: RELEASE_VERSION: ${{ github.ref_name }} - name: Install dependencies required to build package run: npm ci + - name: Upgrade npm for OIDC trusted publishing + run: npm install -g npm@latest - name: Build package run: npm run build - name: Publish package run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 28518e9b47f15ce83eb0e3c404f2f3b3459dfb95 Mon Sep 17 00:00:00 2001 From: Chris Hagglund Date: Mon, 29 Jun 2026 13:27:02 -0600 Subject: [PATCH 2/2] add manual workflow dispatch option --- .github/workflows/release.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 910a948a..5aa78080 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,12 @@ name: Continuous Delivery on: release: types: [published] + workflow_dispatch: + inputs: + version: + description: 'Version to release, matching the release tag (e.g., v1.2.3)' + required: true + type: string permissions: contents: read @@ -18,10 +24,13 @@ jobs: uses: actions/setup-node@v4 with: node-version: "22" + # RELEASE_VERSION is the v-prefixed tag (e.g. v3.0.3) on a release, or the + # manual input on dispatch. The leading "v" lands in package.json but npm + # strips it on publish, so the published version is clean (e.g. 3.0.3). - name: Bump version to release run: sed -i "s/v0.0.0/$RELEASE_VERSION/" ./package.json env: - RELEASE_VERSION: ${{ github.ref_name }} + RELEASE_VERSION: ${{ github.event_name == 'workflow_dispatch' && inputs.version || github.ref_name }} - name: Install dependencies required to build package run: npm ci - name: Upgrade npm for OIDC trusted publishing