npm publish with provenance requires "write" access to the "id-token"…

… permission.
cowwoc · Oct 31, 2024 · 4399ab6 · 4399ab6
1 parent 568b5a7
commit 4399ab6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -6,7 +6,6 @@ on:
   pull_request_target:
     types: [ opened,closed,synchronize ]
 
-# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
 permissions:
   actions: write
   contents: write
@@ -17,14 +16,15 @@ jobs:
   CLAAssistant:
     runs-on: ubuntu-latest
     steps:
-      - name: "CLA Assistant"
+      # https://github.com/contributor-assistant/github-action
+      - name: "CLA Assistant Lite"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/[email protected]
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # the below token should have repo scope and must be manually added by you in the repository's secret
-          # This token is required only if you have configured to store the signatures in a remote repository/organization
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}
+        #GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # the below token should have repo scope and must be manually added by you in the repository's secret
+        # This token is required only if you have configured to store the signatures in a remote repository/organization
+        #PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}
         with:
           path-to-signatures: 'cla/version1/signatures/cla.json'
           path-to-document: 'https://github.com/cowwoc/requirements.js/blob/master/cla/version1/cla.md' # e.g. a CLA or a DCO document

diff --git a/.github/workflows/deploy_to_npm.yml b/.github/workflows/deploy_to_npm.yml
@@ -4,6 +4,10 @@ on:
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   open-release:
     runs-on: ubuntu-latest
@@ -46,7 +50,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.open-release.outputs.TAG }}
-          token: ${{ secrets.WORKFLOW_TOKEN }}
           fetch-depth: 0
 
       - name: Install node
@@ -101,7 +104,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
-          token: ${{ secrets.WORKFLOW_TOKEN }}
           fetch-depth: 0
       - name: Install node
         uses: actions/setup-node@v4