fix(ci): publish npm releases through trusted OIDC#62
Conversation
Move the privileged release job to a supported GitHub-hosted runner and grant only that job contents and OIDC token permissions. Use the current release actions, Node 24, uncached setup, and npm 11 so the job satisfies npm trusted-publishing requirements without silently adopting a future npm major. Remove long-lived npm token variables and skip release-it 19's token-only npm whoami preflight. The actual npm publish command now exchanges the short-lived GitHub OIDC identity and generates provenance automatically. Validated with YAML parsing, Prettier, release-it CLI argument parsing, 48 unit tests, build, and lint.
🚀 Benchmark ResultsPerformance comparison against merge-base bun-latest
🚀 Benchmark ResultsAll solutions to the sudoku
Finding one pentomino tiling on a 6x10 field
Finding ten pentomino tilings on a 6x10 field
Finding one hundred pentomino tilings on a 6x10 field
Updated: 2026-07-13T23:00:15.035Z node-22
🚀 Benchmark ResultsAll solutions to the sudoku
Finding one pentomino tiling on a 6x10 field
Finding ten pentomino tilings on a 6x10 field
Finding one hundred pentomino tilings on a 6x10 field
Updated: 2026-07-13T23:00:28.785Z node-24
🚀 Benchmark ResultsAll solutions to the sudoku
Finding one pentomino tiling on a 6x10 field
Finding ten pentomino tilings on a 6x10 field
Finding one hundred pentomino tilings on a 6x10 field
Updated: 2026-07-13T23:00:32.351Z node-25
🚀 Benchmark ResultsAll solutions to the sudoku
Finding one pentomino tiling on a 6x10 field
Finding ten pentomino tilings on a 6x10 field
Finding one hundred pentomino tilings on a 6x10 field
Updated: 2026-07-13T23:00:24.324Z |
Generate release benchmark documentation on the existing Node 25 Namespace runner so published performance figures retain their consistent hardware baseline. Transfer only README.md through a SHA-scoped, one-day artifact and apply it explicitly outside the checkout boundary before the GitHub-hosted OIDC release job. Override release-it's benchmark hook only in CI, preventing an Ubuntu rerun while preserving the status-quo benchmark behavior for manual releases.
What changed
namespace-profile-defaultwith Node 25 after lint, test, and build succeed.README.mdas a SHA-scoped, one-day artifact, download it outside the checkout, and copy only that file into the release worktree.contents: writeandid-token: write.NPM_TOKENandNODE_AUTH_TOKENfrom the release environment.Why
The failed Release run reached npm with the old automation token and was rejected with
EOTP. npm trusted publishing authenticatesnpm publishthrough a short-lived OIDC identity, requires a GitHub-hosted runner and npm 11.5.1 or newer, and does not need a long-lived npm token.The release hook also publishes fresh performance comparisons in the README. GitHub-hosted CPU performance is too variable for those measurements, so the workflow now keeps benchmark generation on the existing Namespace runner while isolating the actual OIDC publish on GitHub-hosted infrastructure.
release-it's default
npm whoamipreflight cannot observe the publish-time OIDC identity, so the workflow bypasses only that preflight. Its real versioning, changelog, commit, tag, push, GitHub release, andnpm publishbehavior remains active.Security boundary
contents: read, with no secrets or OIDC permission.README.mdoutput crosses the job boundary.RUNNER_TEMP; the privileged job explicitly copies one expected file and verifies that no other tracked file changed.npm configuration required before merge
The
dancing-linkspackage's trusted publisher must match:TimBeyerdancing-linksrelease.ymlnpm publishValidation
.github/workflows/release.ymlas YAML and asserted the runner, permission, dependency, artifact, and token-removal contract.git diff --check.--npm.skipChecksand the CI-onlyafter:bumphook override correctly.update-benchmark-docs.git add . --update.npm test(48 passing).npm run build.npm run lint.The publish itself runs only after a push to
master, so the final OIDC exchange is verified by the post-merge Release run.References: npm trusted publishing, GitHub workflow artifacts, release-it OIDC setup.