From 00891dee903b65d18110421baa4afcd8722bc7c3 Mon Sep 17 00:00:00 2001 From: Onur Solmaz Date: Sat, 14 Mar 2026 13:12:27 +0100 Subject: [PATCH] ci: switch npm release workflow to trusted publishing --- .github/workflows/openclaw-npm-release.yml | 14 ++++++++++---- docs/reference/RELEASING.md | 1 + scripts/openclaw-npm-publish.sh | 11 +---------- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/openclaw-npm-release.yml b/.github/workflows/openclaw-npm-release.yml index 48d97baf268..442f46249a4 100644 --- a/.github/workflows/openclaw-npm-release.yml +++ b/.github/workflows/openclaw-npm-release.yml @@ -26,7 +26,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - id-token: write steps: - name: Checkout uses: actions/checkout@v6 @@ -57,7 +56,6 @@ jobs: echo "Would run: pnpm check" echo "Would run: pnpm build" echo "Would run: pnpm release:check" - bash scripts/openclaw-npm-publish.sh --dry-run - name: Validate release tag and package metadata env: @@ -111,6 +109,16 @@ jobs: contents: read id-token: write steps: + - name: Validate tag input format + env: + RELEASE_TAG: ${{ inputs.tag }} + run: | + set -euo pipefail + if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then + echo "Invalid release tag format: ${RELEASE_TAG}" + exit 1 + fi + - name: Checkout uses: actions/checkout@v6 with: @@ -161,6 +169,4 @@ jobs: run: pnpm release:check - name: Publish - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: bash scripts/openclaw-npm-publish.sh --publish diff --git a/docs/reference/RELEASING.md b/docs/reference/RELEASING.md index a14b258d01d..f14c0d5bdd1 100644 --- a/docs/reference/RELEASING.md +++ b/docs/reference/RELEASING.md @@ -94,6 +94,7 @@ Historical note: - [ ] Confirm git status is clean; commit and push as needed. - [ ] Confirm npm trusted publishing is configured for the `openclaw` package. +- [ ] Do not rely on an `NPM_TOKEN` secret for this workflow; the publish job uses GitHub OIDC trusted publishing. - [ ] Push the matching git tag to trigger the preview run in `.github/workflows/openclaw-npm-release.yml`. - [ ] Run `OpenClaw NPM Release` manually with the same tag to publish after `npm-release` environment approval. - Stable tags publish to npm `latest`. diff --git a/scripts/openclaw-npm-publish.sh b/scripts/openclaw-npm-publish.sh index e83f7eea84f..a5cb2c67d7a 100644 --- a/scripts/openclaw-npm-publish.sh +++ b/scripts/openclaw-npm-publish.sh @@ -20,16 +20,7 @@ fi echo "Resolved package version: ${package_version}" echo "Resolved release channel: ${release_channel}" - -if [[ -n "${NODE_AUTH_TOKEN:-}" ]]; then - if [[ "${mode}" == "--dry-run" ]]; then - echo 'Would write npm auth config to $HOME/.npmrc using NODE_AUTH_TOKEN' - else - printf '//registry.npmjs.org/:_authToken=%s\n' "${NODE_AUTH_TOKEN}" > "${HOME}/.npmrc" - fi -else - echo 'No NODE_AUTH_TOKEN set in this environment' -fi +echo "Publish auth: GitHub OIDC trusted publishing" printf 'Publish command:' printf ' %q' "${publish_cmd[@]}"