@@ -51,40 +51,72 @@ jobs:
5151 npm --no-git-tag-version version "$VERSION" || exit 1
5252 echo "PACKAGE_VERSION=$VERSION" >> $GITHUB_ENV
5353
54- name : Build and Publish
54+ name : Build
5555 run : |
5656 echo "Publishing version: $PACKAGE_VERSION"
5757 cat package.json | grep -A2 '"name"'
5858 npm ci
5959 npm run codegen
6060 npm run build:release
61-
62- # Get OIDC token from GitHub
63- echo "Requesting OIDC token..."
64- OIDC_TOKEN=$(curl -s -H "Authorization: bearer ${{ secrets.GITHUB_TOKEN }}" \
65- "$ACTIONS_ID_TOKEN_REQUEST_URL?audience=https://registry.npmjs.org" | \
66- jq -r '.token')
67-
68- if [[ -z "$OIDC_TOKEN" || "$OIDC_TOKEN" == "null" ]]; then
69- echo "Failed to get OIDC token"
70- exit 1
71- fi
72- echo "Got OIDC token"
73-
74- # Exchange OIDC token for NPM token
75- echo "Exchanging for NPM token..."
76- RESPONSE=$(curl -s -X POST https://registry.npmjs.org/-/npm/v1/security/oidc/token \
77- -H "Authorization: Bearer $OIDC_TOKEN")
78- echo "NPM response: $RESPONSE"
79-
80- NPM_TOKEN=$(echo "$RESPONSE" | jq -r '.token')
81-
82- if [[ -z "$NPM_TOKEN" || "$NPM_TOKEN" == "null" ]]; then
83- echo "Failed to get NPM token from OIDC exchange"
84- exit 1
85- fi
86- echo "Got NPM token"
87-
88- # Use the temporary token for publishing
89- echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
90- npm publish --provenance --access public
61+
62+ name : Get NPM token via OIDC
63+ uses : actions/github-script@v7
64+ with :
65+ script : |
66+ const https = require('https');
67+ const fs = require('fs');
68+
69+ // Get OIDC token from GitHub
70+ console.log('Getting OIDC token from GitHub...');
71+ const token = await core.getIDToken('https://registry.npmjs.org');
72+ console.log('Successfully got OIDC token');
73+
74+ // Exchange it with NPM
75+ console.log('Exchanging OIDC token for NPM access token...');
76+ return new Promise((resolve, reject) => {
77+ const postData = JSON.stringify({});
78+ const options = {
79+ hostname: 'registry.npmjs.org',
80+ path: '/-/npm/v1/security/oidc/token',
81+ method: 'POST',
82+ headers: {
83+ 'Authorization': `Bearer ${token}`,
84+ 'Content-Type': 'application/json',
85+ 'Content-Length': Buffer.byteLength(postData)
86+ }
87+ };
88+
89+ const req = https.request(options, (res) => {
90+ let body = '';
91+ res.on('data', chunk => body += chunk);
92+ res.on('end', () => {
93+ try {
94+ const data = JSON.parse(body);
95+ if (res.statusCode !== 200) {
96+ console.log('NPM returned status:', res.statusCode);
97+ console.log('Response:', body);
98+ throw new Error(`NPM returned ${res.statusCode}`);
99+ }
100+ if (!data.token) {
101+ throw new Error('No token in NPM response');
102+ }
103+ console.log('Got NPM token, updating .npmrc');
104+ const npmrcPath = `${process.env.HOME}/.npmrc`;
105+ let npmrc = fs.readFileSync(npmrcPath, 'utf8');
106+ npmrc += `\n//registry.npmjs.org/:_authToken=${data.token}\n`;
107+ fs.writeFileSync(npmrcPath, npmrc);
108+ console.log('Updated .npmrc with auth token');
109+ resolve();
110+ } catch (err) {
111+ reject(err);
112+ }
113+ });
114+ });
115+
116+ req.on('error', reject);
117+ req.write(postData);
118+ req.end();
119+ });
120+
121+ name : Publish to NPM
122+ run : npm publish --provenance --access public
0 commit comments