chore: use id-token write and npm_config_provenance in npm publish (#11134)

https://linear.app/unleash/issue/2-4082/fix-npm-publish-in-unleash-releaseyaml Uses `NPM_CONFIG_PROVENANCE` in npm publish.
2026-01-05 20:06:22 +01:00 · 2025-12-12 10:48:48 +00:00 · 2025-12-12 10:48:48 +00:00 · 0187efcc00
commit 0187efcc00
parent 80fbaf1baf
1 changed files with 7 additions and 6 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,4 +1,8 @@
 name: 'Publish to npm'
+
+permissions:
+  id-token: write
+
 on:
  workflow_dispatch:
    inputs:
@ -16,17 +20,12 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [20.x]
-
    steps:
      - uses: actions/checkout@v4
        with:
          ref: v${{ inputs.version }} # tag that should be created by the caller workflow
      - name: Setup to npm
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: 22.x
          registry-url: 'https://registry.npmjs.org'
@ -37,6 +36,8 @@ jobs:
        run: |
          yarn install --immutable
      - name: Publish to npm
+        env:
+          NPM_CONFIG_PROVENANCE: true
        run: |
          LATEST=$(npm show unleash-server version)
          TAG=$(node scripts/npm-tag.js $LATEST)