fix(ci)?: oidc trusted publisher

ariesclark · ariesclark · commit 78405d5d1c25 · 2025-12-09T15:08:38.000-07:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -10,6 +10,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 name: Build & release
 
 jobs:
@@ -18,19 +22,17 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/cache@v4
-        with:
-          key: pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: pnpm-
-          path: |
-            ~/.pnpm-store
-            ~/.cache/pnpm
-            **/node_modules
-
       - uses: pnpm/action-setup@v4
         with:
           version: 10
           run_install: false
+      
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
 
       - run: pnpm install
 
@@ -59,6 +61,4 @@ jobs:
       - run: pnpm build
 
       - if: github.ref == 'refs/heads/main'
-        run: |
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
-          pnpm publish --no-git-checks --tag ${{ env.version_tag }}
+        run: pnpm publish --no-git-checks --tag ${{ env.version_tag }}
