From b8e49ede25d14d5b3405f4db9185047763d0133b Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Fri, 29 Aug 2025 08:38:24 -0400 Subject: [PATCH 1/4] update workflow to support npm publish with oidc --- .github/workflows/publish-wasm-internal.yml | 43 ++++++--------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml index 44c31af54..002da968d 100644 --- a/.github/workflows/publish-wasm-internal.yml +++ b/.github/workflows/publish-wasm-internal.yml @@ -58,6 +58,7 @@ jobs: npm: name: Publish NPM + environment: NPM runs-on: ubuntu-24.04 needs: setup permissions: @@ -67,27 +68,11 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup Node - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + - name: Set up Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: 20 - - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Retrieve secrets - id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "npm-api-key" - - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main + node-version: 24 + registry-url: "https://registry.npmjs.org/" - name: Download artifact uses: bitwarden/gh-actions/download-artifacts@main @@ -102,19 +87,13 @@ jobs: run: | npm version --no-git-tag-version $VERSION env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VERSION: ${{needs.setup.outputs.release-version}} + VERSION: ${{needs.setup.outputs.release-version}} - - name: Setup NPM + - name: Install NPM run: | - echo 'registry="https://registry.npmjs.org/"' > ./.npmrc - echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc - - echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc - echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc - env: - NPM_TOKEN: ${{ steps.retrieve-secrets.outputs.npm-api-key }} - + npm install -g npm@latest # npm 11.5.1 or later is required to publish w/ OIDC + npm --version + - name: Publish NPM if: ${{ inputs.release_type != 'Dry Run' }} - run: npm publish --access public --registry=https://registry.npmjs.org/ --userconfig=./.npmrc + run: npm publish --access public From b4dbf464e056f0fcf370cb483db387c6b36b05aa Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Tue, 2 Sep 2025 14:39:25 -0400 Subject: [PATCH 2/4] linting fix --- .github/workflows/publish-wasm-internal.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml index 002da968d..89fb79850 100644 --- a/.github/workflows/publish-wasm-internal.yml +++ b/.github/workflows/publish-wasm-internal.yml @@ -87,13 +87,13 @@ jobs: run: | npm version --no-git-tag-version $VERSION env: - VERSION: ${{needs.setup.outputs.release-version}} + VERSION: ${{needs.setup.outputs.release-version}} - name: Install NPM run: | npm install -g npm@latest # npm 11.5.1 or later is required to publish w/ OIDC npm --version - + - name: Publish NPM if: ${{ inputs.release_type != 'Dry Run' }} run: npm publish --access public From e1fe06e1d2f47abf9d616b494f2029c3df02a113 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Wed, 3 Sep 2025 14:38:08 -0400 Subject: [PATCH 3/4] clarify job title --- .github/workflows/publish-wasm-internal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml index 89fb79850..eeb044df1 100644 --- a/.github/workflows/publish-wasm-internal.yml +++ b/.github/workflows/publish-wasm-internal.yml @@ -89,7 +89,7 @@ jobs: env: VERSION: ${{needs.setup.outputs.release-version}} - - name: Install NPM + - name: Update NPM run: | npm install -g npm@latest # npm 11.5.1 or later is required to publish w/ OIDC npm --version From cc51016413ec0b44c67c85ef32e4eafb8504f7b5 Mon Sep 17 00:00:00 2001 From: AJ Mabry <81774843+aj-bw@users.noreply.github.com> Date: Wed, 3 Sep 2025 14:57:23 -0400 Subject: [PATCH 4/4] update npm not necessary when specifying node v24 --- .github/workflows/publish-wasm-internal.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml index eeb044df1..00089e721 100644 --- a/.github/workflows/publish-wasm-internal.yml +++ b/.github/workflows/publish-wasm-internal.yml @@ -89,11 +89,6 @@ jobs: env: VERSION: ${{needs.setup.outputs.release-version}} - - name: Update NPM - run: | - npm install -g npm@latest # npm 11.5.1 or later is required to publish w/ OIDC - npm --version - - name: Publish NPM if: ${{ inputs.release_type != 'Dry Run' }} run: npm publish --access public