OIDC trusted publishing + GitHub Personal Access Token? #1081
Description
My repository needs to use a GitHub Personal Access Token in order to bypass branch protection to push Git commits to main. (Sorry, I know this is discouraged, but it's where we are.)
I'd also like to move to the new OIDC trusted publishing system. However, PATs don't seem have an id-token scope. I'm guessing it's only possible via GitHub Action's GITHUB_TOKEN and permissions.
Is this configuration possible? My intuition was to set both GITHUB_TOKEN (GitHub Actions) and GH_TOKEN (PAT). This seems to use the PAT so Git push works, but doesn't use GITHUB_TOKEN so NPM fails. Here's a sample run: https://github.com/KaTeX/KaTeX/actions/runs/21322336014/job/61374048157
ci.yml
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
test:
...omitted for brevity...
release:
runs-on: ubuntu-latest
if: github.event_name == 'push'
environment: release
needs: test
# https://github.com/semantic-release/npm
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # to enable use of OIDC for trusted publishing and npm provenance
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- name: Enable Corepack
run: corepack enable
- name: Use Node.js 22
uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install dependencies
run: yarn --immutable
env:
YARN_ENABLE_SCRIPTS: 0 # disable postinstall scripts
- name: Run semantic-release
run: yarn run semantic-release --debug
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_AUTHOR_NAME: KaTeX bot
GIT_AUTHOR_EMAIL: [email protected]
GIT_COMMITTER_NAME: KaTeX bot
GIT_COMMITTER_EMAIL: [email protected]
NPM_AUTH_TOKEN: "".releaserc
{
"branches": "main",
"plugins": [
["@semantic-release/commit-analyzer", {
"releaseRules": [
{breaking: true, release: 'minor'},
{type: 'feat', release: 'patch'},
],
}],
"@semantic-release/release-notes-generator",
["@semantic-release/changelog", {
"changelogTitle": "# Changelog\nAll notable changes to this project will be documented in this file. This CHANGELOG roughly follows the guidelines from [www.keepachangelog.com](https://keepachangelog.com/en/1.0.0/).",
}],
"@semantic-release/npm",
["@semantic-release/git", {
"assets": ["docs", "package.json", "CHANGELOG.md", "README.md", "contrib/*/README.md", "website/pages/index.html"],
"message": "chore(release): ${nextRelease.version} [ci skip]\n\n${nextRelease.notes}",
}],
["@semantic-release/github", {
"assets": [
{path: 'katex.tar.gz', label: 'tarball'},
{path: 'katex.zip', label: 'zip'},
],
}],
],
}package.json
{
"name": "katex",
"version": "0.16.27",
"description": "Fast math typesetting for the web.",
...omitted for brevity...
"packageManager": "[email protected]",
"devDependencies": {
"@semantic-release/changelog": "^6.0.3",
"@semantic-release/git": "^10.0.1",
"semantic-release": "^25.0.2",
...omitted for brevity...
},
"scripts": {
"semantic-release": "semantic-release",
...omitted for brevity...
},
...omitted for brevity...
}I also seem to be running into #1051 by the way. I have similar errors in the run above. But I'm not sure whether that's blocking.