CI changes to support npmjs.com "trusted publisher" auth (#2668)

tybook · web-flow · commit 2abc65d69d6c · 2026-02-04T17:25:08.000-05:00
## Why is this change needed? Describe why this issue should be fixed and link to any relevant design docs, issues or other relevant items. ## Merge Checklist _Choose all relevant options below by adding an `x` now or at any time before submitting for review_ - [ ] PR title adheres to the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) standard - [ ] PR has a [changeset](https://github.com/farcasterxyz/hub-monorepo/blob/main/CONTRIBUTING.md#35-adding-changesets) - [ ] PR has been tagged with a change label(s) (i.e. documentation, feature, bugfix, or chore) - [ ] PR includes [documentation](https://github.com/farcasterxyz/hub-monorepo/blob/main/CONTRIBUTING.md#32-writing-docs) if necessary.  --- ## PR-Codex overview This PR updates the CI workflow for package releases, including changes to permissions, Node.js version, and the `changesets/action` version, while also modifying the handling of NPM tokens. ### Detailed summary - Added permissions for `contents` and `id-token` in the workflow. - Updated `node-version` from `18` to `22.x`. - Set `registry-url` to `https://registry.npmjs.org`. - Upgraded `changesets/action` from `v1` to `v1.6.0`. - Changed `NPM_TOKEN` to an empty string. - Enabled `NPM_CONFIG_PROVENANCE`. > ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}`
diff --git a/.changeset/shaggy-bags-breathe.md b/.changeset/shaggy-bags-breathe.md
@@ -0,0 +1,8 @@
+---
+"@farcaster/core": patch
+"@farcaster/hub-nodejs": patch
+"@farcaster/hub-web": patch
+"@farcaster/shuttle": patch
+---
+
+Test deploy with new CI auth method
diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml
@@ -9,12 +9,16 @@ concurrency:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '22.x'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Restore cached dependencies for Node modules.
         id: module-cache
@@ -28,10 +32,11 @@ jobs:
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@v1.6.0
         with:
           publish: yarn release-packages
           version: yarn version-packages
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: ''
+          NPM_CONFIG_PROVENANCE: true
