ci: switch npm publish to OIDC trusted publishing

YunYouJun · YunYouJun · commit 14bad1faceff · 2026-03-29T01:24:20.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,17 +8,19 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@v4
 
-      # after pnpm
       - name: Use Node.js LTS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: lts/*
           registry-url: https://registry.npmjs.org/
@@ -28,11 +30,11 @@ jobs:
         run: pnpm install
 
       - run: npm run build --if-present
-      # https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
+
       - run: pnpm publish --access public --no-git-checks
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true
 
-      - run: npx changelogithub # or changelogithub@0.12 if ensure the stable result
+      - run: npx changelogithub
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
