👷 github: setup npm trusted publishing

cruzdanilo · cruzdanilo · commit 9ede7dbdf80b · 2025-09-05T19:31:34.000+02:00
diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml
@@ -3,6 +3,8 @@ on:
   push:
     branches: [main]
 concurrency: ${{ github.workflow }}-${{ github.ref }}
+permissions:
+  id-token: write
 jobs:
   version:
     environment: version
@@ -19,18 +21,31 @@ jobs:
         with:
           node-version: ">=22.16.0"
           cache: pnpm
+          registry-url: https://registry.npmjs.org
+          always-auth: true
+          scope: "@exactly"
       - uses: foundry-rs/foundry-toolchain@v1
       - run: pnpm install --frozen-lockfile
       - uses: crazy-max/ghaction-import-gpg@v5 # cspell:ignore ghaction
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           git_user_signingkey: true # cspell:ignore signingkey
           git_commit_gpgsign: true # cspell:ignore gpgsign
+      - name: npm debug
+        run: |
+          echo "registry: $(npm config get registry)"
+          echo "--- repo .npmrc ---"; [ -f .npmrc ] && cat .npmrc || echo "(none)"
+          echo "--- user .npmrc ---"; [ -f ~/.npmrc ] && cat ~/.npmrc || echo "(none)"
+          echo "--- publishConfig from @exactly/lib ---"
+          node -e "const p=require('./package.json');console.log(p.publishConfig||'(none)')"
+          echo "--- npm view (should succeed) ---"
+          npx --yes npm@latest view @exactly/lib name version || true
       - uses: changesets/action@v1
         with:
           title: 🔖 new release
           publish: pnpm changeset publish
           setupGitUser: false
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_ACCESS: public
+          NPM_CONFIG_PROVENANCE: true
