Adopt npm trusted publishing in CI by ryantm · Pull Request #100 · replit/ruspty

ryantm · 2026-03-24T14:20:20Z

Why

npm trusted publishing via GitHub OIDC removes the long-lived NPM_TOKEN requirement from the release workflow.
npm's trusted publisher flow also requires a newer Node/npm runtime in the publish job.

reduced the workflow's default permissions to read-only and scoped id-token: write to the publish job
switched the publish job to actions/setup-node with Node 24 and the npm registry URL configured
removed token-based npm auth from npm publish and updated the publishing docs to point at the CI.yml trusted publisher setup

git diff --check
did not run repo tests; this only changes GitHub Actions workflow and publishing docs

Safe to revert in git.
If NPM_TOKEN is removed during rollout, reverting this workflow also requires restoring that secret or updating npm publishing settings to match.

~ written by Zerg 👾

Adopt npm trusted publishing in CI

5912cc3

ryantm added the zergling-authored Authored by Zerg label Mar 24, 2026

ryantm marked this pull request as ready for review March 24, 2026 14:23

jasondellaluce approved these changes Mar 24, 2026

View reviewed changes

ryantm enabled auto-merge (squash) March 24, 2026 14:25

ryantm merged commit d1c2c8b into main Mar 24, 2026
15 of 16 checks passed

ryantm deleted the zerg/oidc-trusted-publishing branch March 24, 2026 14:59