salvacybersec/CodeNomad
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): avoid secrets context in step if

Browse Source 
Remove secrets-based step conditionals in reusable npm publish workflow; decide token vs OIDC at runtime.
This commit is contained in:
Shantur Rathore
2026-02-12 23:58:18 +00:00
parent e6c568988a
commit 3047a1e602
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/manual-npm-publish.yml vendored
View File

@@ -70,18 +70,19 @@ jobs:
run: npm version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version run: npm version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version
- name: Publish server package with provenance - name: Publish server package with provenance
if: ${{ secrets.NPM_TOKEN != '' }}
env: env:
# Optional: when present, npm will use token auth.
# When empty/unset, npm trusted publishing (OIDC) may be used if configured.
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_CONFIG_PROVENANCE: true NPM_CONFIG_PROVENANCE: true
NPM_CONFIG_REGISTRY: https://registry.npmjs.org NPM_CONFIG_REGISTRY: https://registry.npmjs.org
shell: bash
run: | run: |
npm publish --workspace @neuralnomads/codenomad --access public --tag ${DIST_TAG} --provenance set -euo pipefail
if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
- name: Publish server package with provenance (OIDC) echo "NPM_TOKEN not set; attempting npm trusted publishing (OIDC)"
if: ${{ secrets.NPM_TOKEN == '' }} unset NODE_AUTH_TOKEN
env: else
NPM_CONFIG_PROVENANCE: true echo "Using NPM_TOKEN authentication"
NPM_CONFIG_REGISTRY: https://registry.npmjs.org fi
run: |
npm publish --workspace @neuralnomads/codenomad --access public --tag ${DIST_TAG} --provenance npm publish --workspace @neuralnomads/codenomad --access public --tag ${DIST_TAG} --provenance