From 8cc0edb5efc9a28f5f65f3266d3fdde3d8516362 Mon Sep 17 00:00:00 2001 From: Dan Moore Date: Tue, 20 Jan 2026 16:29:04 -0700 Subject: [PATCH 1/2] updated workflow this uses the new workflow which works with the npm token changes --- .github/workflows/publish.yaml | 56 +++++++++++++++++----------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 55a3041..d419308 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,44 +1,39 @@ --- -name: Publish +name: Publish the node CLI to NPM on: + push: + branches: + - main + pull_request: + branches: + - main workflow_dispatch: inputs: command: - required: true type: choice options: - - test - - publish + - test # build only + - publish # build & publish to npmjs default: test version: required: true type: string permissions: - contents: write + contents: read id-token: write jobs: - publish: + deploy: runs-on: ubuntu-latest + defaults: + run: + shell: /usr/bin/bash -l -e -o pipefail {0} steps: - - name: create github token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.ACTIONS_RUNNER_APP_ID }} - private-key: ${{ secrets.ACTIONS_RUNNER_PRIVATE_KEY }} - - name: checkout uses: actions/checkout@v4 - with: - token: ${{ steps.app-token.outputs.token }} - - name: configure git - run: | - git config --global user.name "FusionAuth Automation" - git config --global user.email "donotreply@fusionauth.io" - name: set aws credentials uses: aws-actions/configure-aws-credentials@v4 @@ -48,6 +43,7 @@ jobs: aws-region: us-west-2 - name: get secret + if: inputs.command == 'publish' run: | while IFS=$'\t' read -r key value; do echo "::add-mask::${value}" @@ -59,11 +55,12 @@ jobs: --output text | \ jq -r 'to_entries[] | [.key, .value] | @tsv') - - name: create npmrc - run: | - echo "color=false" > ~/.npmrc - echo "//registry.npmjs.org/:_authToken=${{ env.API_KEY }}" >> ~/.npmrc - chmod 600 ~/.npmrc + - name: setup node for publishing + if: inputs.command == 'publish' + uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' # This generates the necessary .npmrc - name: set version run: npm version ${{ inputs.version }} @@ -84,7 +81,10 @@ jobs: if: inputs.command == 'test' run: npm publish --dry-run - - name: publish to npmjs (only on main branch) - if: inputs.command == 'publish' && github.ref == 'refs/heads/main' - run: npm publish - + - name: publish to npmjs + if: inputs.command == 'publish' + run: | + npm install -g npm@latest + npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: "sigstore" # npm uses OIDC when this is any non-empty string From eeb1f0fa230fe33039d15bf2901f84863c952642 Mon Sep 17 00:00:00 2001 From: Dan Moore Date: Tue, 20 Jan 2026 16:40:17 -0700 Subject: [PATCH 2/2] bumped version of node setup --- .github/workflows/publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index d419308..725a703 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -57,7 +57,7 @@ jobs: - name: setup node for publishing if: inputs.command == 'publish' - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '20' registry-url: 'https://registry.npmjs.org' # This generates the necessary .npmrc