chore: ci workflow with oidc

NathanWalker · NathanWalker · commit 59b968df4922 · 2025-12-13T20:49:40.000-08:00
diff --git a/.github/workflows/npm_release.yml b/.github/workflows/npm_release.yml
@@ -150,6 +150,7 @@ jobs:
           path: ${{env.TEST_FOLDER}}/test_results.xcresult
   publish:
     runs-on: ubuntu-latest
+    environment: npm-publish
     needs:
       - build
       - test
@@ -172,10 +173,17 @@ jobs:
         with:
           name: npm-package
           path: dist
-      - name: Publish package
+      - name: Publish package (OIDC trusted publishing)
+        if: ${{ vars.USE_NPM_TOKEN != 'true' }}
         run: |
-          echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG..."
-          npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --provenance
+          echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via OIDC trusted publishing..."
+          npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
+
+      - name: Publish package (granular token)
+        if: ${{ vars.USE_NPM_TOKEN == 'true' }}
+        run: |
+          echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via granular token..."
+          npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
   github-release:
