Trusted publishers support

[kentcdodds]

What:
Updated the release job in validate.yml to support npm trusted publishers.

Why:
To enable publishing packages with provenance information using OIDC, enhancing security by removing the reliance on long-lived NPM_TOKEN secrets. This aligns with modern best practices for npm publishing.

How:

• Added permissions to the release job, including id-token: write for OIDC.
• Set NPM_CONFIG_PROVENANCE: 'true' in the release job's environment.
• Removed NPM_TOKEN from the semantic-release-action step's environment.

Checklist:

• [N/A] Documentation
• [N/A] Tests
• Ready to be merged
  

---

 

---

Note

Medium Risk
Changes the release pipeline’s auth mechanism and permissions; misconfiguration could break publishing or broaden GitHub token capabilities, but scope is limited to CI.

Overview
Updates the GitHub Actions release job to publish via npm Trusted Publishers/OIDC by granting id-token: write and enabling npm provenance (NPM_CONFIG_PROVENANCE: 'true').

Removes use of the long-lived NPM_TOKEN secret from the semantic-release step, relying on workflow permissions for release/publishing-related actions instead.

^{Written by Cursor Bugbot for commit 522854a. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • Enhanced release workflow security by updating GitHub Actions permissions for contents, identity tokens, issues, and pull requests.
  • Improved package verification by enabling NPM package provenance configuration during the release process.

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Modified the GitHub Actions release workflow to use NPM provenance for package publishing. Added explicit permissions for the release job (contents, id-token, issues, pull-requests) and an environment variable enabling NPM provenance configuration. Removed direct NPM_TOKEN secret reference from the release step environment.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/validate.yml	Added permissions block to release job granting write access to contents, id-token, issues, and pull-requests. Introduced NPM_CONFIG_PROVENANCE: 'true' environment variable. Removed NPM_TOKEN secret from release step environment variables.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops of joy with provenance so true,
No secrets exposed, permissions all new,
NPM publishes with trust and with care,
Security hopping through the air! ✨

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cursor/trusted-publishers-support-bc40

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.26%. Comparing base (e68fecc) to head (522854a).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #249      +/-   ##
==========================================
+ Coverage   63.14%   63.26%   +0.12%     
==========================================
  Files          21       21              
  Lines         605      607       +2     
  Branches      228      230       +2     
==========================================
+ Hits          382      384       +2     
  Misses        182      182              
  Partials       41       41              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🎉 This PR is included in version 17.0.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀