Skip to content

CI: add npm OIDC Trusted Publisher workflows#14

Merged
azu merged 3 commits intomasterfrom
oidc
Jan 3, 2026
Merged

CI: add npm OIDC Trusted Publisher workflows#14
azu merged 3 commits intomasterfrom
oidc

Conversation

@azu
Copy link
Copy Markdown
Member

@azu azu commented Jan 3, 2026

Summary

Add npm OIDC Trusted Publisher workflows and security configuration for secure, automated npm releases.

What's Changed

  • Add create-release-pr.yml workflow for automated version bump and release PR creation
  • Add release.yml workflow with npm OIDC publishing (Trusted Publisher)
  • Add CODEOWNERS for critical workflow file protection
  • Fix zizmor excessive-permissions warning in test workflow

Key Changes

New Workflows

Create Release PR (create-release-pr.yml):

  • Manual trigger with version type selection (patch/minor/major)
  • Automatic version bump and commit
  • Generate release notes from GitHub API
  • Create draft PR with release label

Release (release.yml):

  • Triggered on merged PR with "Type: Release" label
  • npm OIDC Trusted Publisher (id-token: write)
  • Build, publish with provenance, create GitHub Release
  • PR comment with release details

Security

  • CODEOWNERS: Require @textlint/admin review for release workflows
  • Explicit permissions on all jobs
  • persist-credentials: false on checkouts
  • Pinned action versions with commit SHAs

Test Plan

  • Verify workflows appear in Actions tab
  • Test create-release-pr workflow with workflow_dispatch
  • Verify CODEOWNERS triggers review requests

Breaking Changes

None

Additional Notes

Requires npm environment with OIDC Trusted Publisher configured.

azu and others added 3 commits January 4, 2026 05:57
@azu
CI: add npm Trusted Publisher workflows and security configuration
5efa8eb 
- create-release-pr.yml: Creates release PRs with version bump and release notes
- release.yml: Publishes to npm using Trusted Publisher (OIDC) when PR is merged
- CODEOWNERS: Protects critical workflow files from unauthorized changes
- No npm tokens required - uses GitHub OIDC for authentication
@azu
CI: add npm Trusted Publisher workflows and security configuration
0a1ed9c 
- create-release-pr.yml: Creates release PRs with version bump and release notes
- release.yml: Publishes to npm using Trusted Publisher (OIDC) when PR is merged
- CODEOWNERS: Protects critical workflow files from unauthorized changes
- No npm tokens required - uses GitHub OIDC for authentication
@azu @claude
CI: add explicit permissions to test workflow
5a7a1b6 
Fix zizmor excessive-permissions warning by adding job-level permissions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@azu azu added the Type: CI Changes to CI configuration files and scripts label Jan 3, 2026
@azu azu merged commit 1b16704 into master Jan 3, 2026
6 checks passed
@azu azu deleted the oidc branch January 3, 2026 21:11
@github-actions github-actions bot mentioned this pull request Jan 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: CI Changes to CI configuration files and scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@azu