ci: Switch to OIDC trusted publishing for npm (no token needed)

2026-03-06 17:04:20 +01:00
parent c0096503b2
commit 2b7660f019
2 changed files with 7 additions and 2 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,14 +4,17 @@ stages:
 semantic-release:
  stage: release
  image: node:lts-alpine
+  id_tokens:
+    NPM_ID_TOKEN:
+      aud: "npm:registry.npmjs.org"
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
  before_script:
    - apk add git openssh
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
    - ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
    - chmod 600 ~/.ssh/id_ed25519
-    - export NPM_TOKEN="${NODE_AUTH_TOKEN}"
-    - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
    - npm install
    - npm run build
  script:
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1,2 @@
+registry=https://registry.npmjs.org/
+@carealytix:registry=https://registry.npmjs.org/