ci: Changing the action to use trusted publishing for npm packages#47
Merged
polymesh-bot merged 1 commit intomainfrom Feb 19, 2026
Merged
ci: Changing the action to use trusted publishing for npm packages#47polymesh-bot merged 1 commit intomainfrom
polymesh-bot merged 1 commit intomainfrom
Conversation
Contributor
Author
|
I will draft this until the necessary changes are made on npmjs.com. |
prashantasdeveloper
approved these changes
Feb 19, 2026
Contributor
Author
|
/fast-forward |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Migrate npm publishing from classic token authentication to OIDC Trusted Publishing.
npm classic tokens were permanently revoked in December 2025. Granular access tokens
are now limited to 90 days for write access, requiring periodic manual rotation.
OIDC Trusted Publishing eliminates token management entirely — GitHub provides
short-lived tokens automatically via its OIDC provider.
Changes:
NPM_TOKENsecret from release workflowid-token: writepermission to enable OIDC token generationcontents,issues, andpull-requestspermissions (previously implicit)Breaking Changes
JIRA Link
Checklist