Skip to content

ci: upgrade workflows to Node 24 with OIDC publishing#12

Open
ryanRfox wants to merge 1 commit intoradiustechsystems:mainfrom
ryanRfox:fix/node-22-workflows
Open

ci: upgrade workflows to Node 24 with OIDC publishing#12
ryanRfox wants to merge 1 commit intoradiustechsystems:mainfrom
ryanRfox:fix/node-22-workflows

Conversation

@ryanRfox
Copy link

@ryanRfox ryanRfox commented Jan 22, 2026
edited
Loading

Summary

  • Update all TypeScript workflows to Node 24 (required for npm 11+ OIDC support)
  • Add workflow_dispatch trigger for manual releases
  • Switch to OIDC trusted publishing (no NPM_TOKEN secret needed)
  • Add prerelease tag handling for alpha/beta versions
  • Fix build command (build:prodbuild)

Changes

File Changes
typescript-lint.yml Node 20 → 24
typescript-test.yml Node 20 → 24
typescript-publish.yml Node 20 → 24, OIDC, workflow_dispatch

Why Node 24?

Node 24 ships with npm 11+ which has native OIDC trusted publishing support. This eliminates the need for long-lived NPM_TOKEN secrets.

Test plan

  • Tested on fork with successful publish to @ryanrfox/sdk
  • Verify CI passes on this PR

Note

Recommend squash merge to keep commit history clean.

@ryanRfox
ci: upgrade workflows to Node 24 with OIDC publishing
bf865ee 
- Update all TypeScript workflows to Node 24 (required for npm OIDC)
- Add workflow_dispatch trigger for manual releases
- Switch to OIDC trusted publishing (no NPM_TOKEN needed)
- Add prerelease tag handling for alpha/beta versions
- Fix build command (build:prod -> build)
@ryanRfox ryanRfox force-pushed the fix/node-22-workflows branch from 41c821c to bf865ee Compare January 23, 2026 20:53
@ryanRfox ryanRfox changed the title ci: update Node.js version to 22 in workflows ci: upgrade workflows to Node 24 with OIDC publishing Jan 23, 2026
@ryanRfox
Copy link
Author

ryanRfox commented Jan 23, 2026

Post-Merge Setup Required

This PR switches from NPM_TOKEN secret to OIDC trusted publishing. After merging, two configuration steps are required before the publish workflow will work:

Step 1: Create GitHub Environment

Why: OIDC trusted publishing requires a GitHub environment to establish trust between the workflow and npm.

How:

  1. Go to SettingsEnvironments in the repository
  2. Click "New environment"
  3. Name it exactly: npm-publish
  4. Click "Configure environment"
  5. No additional settings needed - just save

Step 2: Configure npm Trusted Publisher

Why: npm needs to know which GitHub repository/workflow is authorized to publish without a token. This creates a cryptographic trust relationship using OpenID Connect (OIDC).

How:

  1. Go to the package settings on npm:
  2. Scroll to "Trusted Publisher" section
  3. Click "Add trusted publisher"
  4. Select "GitHub Actions" as the publisher
  5. Fill in the form:
    Field Value
    Organization or user radiustechsystems
    Repository sdk
    Workflow filename typescript-publish.yml
    Environment name npm-publish
  6. Click "Add" to save

How It Works

Once configured:

  • When the workflow runs, GitHub generates a short-lived OIDC token
  • npm verifies the token matches the trusted publisher configuration
  • No long-lived secrets to rotate or leak
  • Publishes include cryptographic provenance attestation

Testing

After setup, you can test by:

  1. Going to ActionsTypeScript SDK Publish
  2. Click "Run workflow"
  3. Enter a version number
  4. The workflow should complete successfully

These instructions were tested successfully on a fork publishing to @ryanrfox/sdk.

@ryanRfox ryanRfox requested a review from sscovil January 23, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sscovil sscovil Awaiting requested review from sscovil

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanRfox

Comments