chore(deps): bump semantic-release to 25 for npm trusted publishing#1029
Merged
pgoodjohn merged 1 commit intoJun 12, 2026
Merged
Conversation
@semantic-release/npm gained support for npm trusted publishing (OIDC) in v12.0.2, which requires semantic-release >= 24. The previous pin of semantic-release@19.0.5 / @semantic-release/npm@9.0.1 hard-failed in verifyConditions with ENONPMTOKEN before npm ever got a chance to use the OIDC flow configured on the registry. This upgrade pulls in @semantic-release/npm@13 and @semantic-release/github@12 transitively, so the release workflow can finally authenticate via OIDC. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
🎉 This PR is included in version 4.3.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #1025.
Follow-up to #1028. After granting
id-token: writeand droppingNPM_TOKEN, the release run still failed withENONPMTOKEN: https://github.com/commitizen/cz-cli/actions/runs/27406345627/job/80996318512Root cause: the repo was pinned to
semantic-release@19.0.5, which pulls in@semantic-release/npm@9.0.1(2022). That plugin version has no concept of npm trusted publishing — itsverifyConditionsstep hard-requiresNPM_TOKENand exits before npm ever gets a chance to mint an OIDC credential.Trusted publishing support was added in
@semantic-release/npm@12.0.2(Oct 2025), which requiressemantic-release >= 24.This bumps
semantic-releaseto25.0.5, which transitively pulls in:@semantic-release/npm@13.1.5(supports OIDC)@semantic-release/github@12.0.8No other plugin config changes were needed — the existing
releaseblock inpackage.json(preset: conventionalcommits) still works.Notes
semantic-release@25requires Node^22.14.0 || >= 24.10.0. The release workflow usesnode-version: lts/*, which currently resolves to Node 22 — fine. Theenginesfield inpackage.json(>= 18) is left untouched since it constrains end-user installs ofcommitizen, not the release pipeline.Test plan
masterand confirm the next release run gets pastverifyConditionsand publishes via OIDC (look for provenance lines in the publish output).