Summary

• Configure the changesets-release job to use npm's Trusted Publishing feature instead of long-lived npm tokens
• Uses OpenID Connect (OIDC) for authentication, providing better security through short-lived, workflow-specific credentials
• Removes dependency on NPM_TOKEN secret

Why Trusted Publishing?

Trusted publishing eliminates the security risks associated with long-lived npm tokens:

• No token exposure risk - Tokens can be accidentally exposed in logs or compromised; OIDC uses short-lived, cryptographically-signed credentials
• No manual rotation needed - Each publish uses automatically-generated, workflow-specific credentials
• Scoped access - Credentials are specific to the configured workflow and cannot be extracted or reused
• Automatic provenance - npm automatically generates provenance attestations when publishing via trusted publishing

Changes

• Added id-token: write permission to the changesets-release job (required for GitHub Actions to generate OIDC tokens)
• Removed NPM_TOKEN secret from the workflow (no longer needed with trusted publishing)
• Upgraded to Node.js 24 for the changesets-release job (npm trusted publishing requires npm 11.5.1+, which is bundled with Node.js 24)

Configuration

Trusted publishers have been configured on npmjs.com for all packages with:

• Publisher: GitHub Actions
• Organization: electric-sql
• Repository: pglite
• Workflow filename: build_and_test.yml

Documentation

• npm Trusted Publishing docs
• GitHub Actions OIDC documentation
• OpenSSF Trusted Publishers specification

Test plan

• Merge and trigger a release via changesets
• Verify packages publish successfully using OIDC authentication
• Confirm provenance attestations are generated on published packages

Post-merge recommendation

After verifying trusted publishing works correctly, consider restricting token-based publishing access on npmjs.com by navigating to each package's Settings → Publishing access and selecting "Require two-factor authentication and disallow tokens" for maximum security.