test: oidc

Author: sobird

.github/workflows/publish.yml

@@ -1,26 +1,60 @@
-name: Publish Package
+# https://docs.npmjs.com/trusted-publishers#supported-cicd-providers
+
+name: Publish package to NPM
 
 on:
   workflow_dispatch:
 
 permissions:
   id-token: write  # Required for OIDC
   contents: read
-
+  
 jobs:
   publish:
+    name: Publish package to NPM
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Check out repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up pnpm
         uses: pnpm/action-setup@v4
         with:
           version: 10
-      - uses: actions/setup-node@v4
+          run_install: false
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
         with:
-          node-version: '24'
+          node-version-file: .node-version
           registry-url: 'https://registry.npmjs.org'
-      - run: pnpm install
-      - run: npm test
-      - run: npm publish
+          cache: pnpm
+
+      - name: Restore cache
+        id: dependencies-cache
+        uses: actions/cache@v5
+        with:
+          path: |
+            **/node_modules
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+              ${{ runner.os }}-pnpm-
+
+      - name: Install Dependencies 🔧
+        if: steps.dependencies-cache.outputs.cache-hit != 'true'
+        run: |
+          pnpm install
+
+      - name: Build ☕️
+        run: |
+          pnpm build
+
+      - name: Publish to NPM
+        run: |
+          npm publish
+        # env:
+        #   NPM_CONFIG_PROVENANCE: true

.github/workflows/release.yml

@@ -12,77 +12,36 @@ permissions:
 name: release-please
 
 jobs:
-  release:
-    runs-on: ubuntu-latest
-    outputs:
-      release-published: ${{ steps.release.outputs.release_created }}
-    steps:
-      - name: Release please
-        uses: googleapis/release-please-action@v4
-        id: release
-        with:
-          # this assumes that you have created a personal access token
-          # (PAT) and configured it as a GitHub action secret named
-          # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important).
-          token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
-          # this is a built-in strategy in release-please, see "Action Inputs"
-          # for more options
-          release-type: node
-          # create a release from a path other than the repository's root
-          # path: pkg/cmd
-          # The short ref name of the branch or tag that triggered
-          # the workflow run. For example, `main` or `1.x`
-          # target-branch: ${{ github.ref_name }}
+  # release:
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     release-published: ${{ steps.release.outputs.release_created }}
+  #   steps:
+  #     - name: Release please
+  #       uses: googleapis/release-please-action@v4
+  #       id: release
+  #       with:
+  #         # this assumes that you have created a personal access token
+  #         # (PAT) and configured it as a GitHub action secret named
+  #         # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important).
+  #         token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
+  #         # this is a built-in strategy in release-please, see "Action Inputs"
+  #         # for more options
+  #         release-type: node
+  #         # create a release from a path other than the repository's root
+  #         # path: pkg/cmd
+  #         # The short ref name of the branch or tag that triggered
+  #         # the workflow run. For example, `main` or `1.x`
+  #         # target-branch: ${{ github.ref_name }}
 
-          # If true, do not attempt to create releases. 
-          # This is useful if splitting release tagging from PR creation.
-          # skip-github-release: true
+  #         # If true, do not attempt to create releases. 
+  #         # This is useful if splitting release tagging from PR creation.
+  #         # skip-github-release: true
 
   publish:
-    runs-on: ubuntu-latest
-    if: needs.release.outputs.release-published
-    needs: release
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: .node-version
-          registry-url: https://registry.npmjs.org/
-          cache: pnpm
-
-      - name: Restore cache
-        id: dependencies-cache
-        uses: actions/cache@v5
-        with:
-          path: |
-            **/node_modules
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-              ${{ runner.os }}-pnpm-
-
-      - name: Install Dependencies 🔧
-        if: steps.dependencies-cache.outputs.cache-hit != 'true'
-        run: |
-          pnpm install
-
-      - name: Build ☕️
-        run: |
-          pnpm build
-
-      - name: Publish to NPM
-        run: |
-          npm publish
-        env:
-          NPM_CONFIG_PROVENANCE: true
+    # if: needs.release.outputs.release-published
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
+    # needs: release
+    uses: ./.github/workflows/publish.yml