ci: migrate to trusted publishing

frantic1048 · frantic1048 · commit 8745bb68da80 · 2025-10-22T14:07:48.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -79,6 +79,9 @@ jobs:
     if: ${{ always() && !failure() && !cancelled() }}
     needs: [test, check-beachball-changefile]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
@@ -93,20 +96,14 @@ jobs:
 
       - name: Publish (development)
         if: github.repository == 'RightCapitalHQ/phpdoc-parser' && github.base_ref == github.event.repository.default_branch
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
         run: |
-          npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}"
           preid="${HEAD_REF//\//-}".${{ github.run_number }}.${{ github.run_attempt }}
           npm --no-git-tag-version version prerelease --preid="${preid}"
           pnpm publish --no-git-checks --access public --tag development
 
       - name: Publish (main)
         if: github.repository == 'RightCapitalHQ/phpdoc-parser' && github.ref_name == github.event.repository.default_branch
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
         run: |
-          npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}"
           git config --local user.email "npm-publisher@rightcapital.com"
           git config --local user.name "GitHub Actions[bot]"
           pnpm beachball publish --access public --yes -m 'chore(release): applying package updates'
diff --git a/.node-version b/.node-version
@@ -1 +1 @@
-22.17.1
+24.10.0
