Use NPM trusted publishing

.github/workflows/ci.yml

@@ -181,14 +181,18 @@ jobs:
     name: NPM
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v6
 
+      - run: corepack enable
+
       - uses: actions/setup-node@v6
         with:
           node-version: 20
-          registry-url: https://registry.npmjs.org
           cache: npm
           cache-dependency-path: typescript/package-lock.json
 
@@ -208,25 +212,5 @@ jobs:
         working-directory: typescript
 
       - run: npm run publish
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        # if: ${{ startsWith(github.ref, 'refs/tags/v') }}
         working-directory: typescript
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-
-  dependabot:
-    name: Dependabot
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
-    steps:
-      - name: Automatically approve dependabot PRs
-        uses: octokit/[email protected]
-        with:
-          route: POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews
-          owner: ${{ github.event.repository.owner.login }}
-          repo: ${{ github.event.repository.name }}
-          pull_number: ${{ github.event.pull_request.number }}
-          event: APPROVE
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependabot.yml

@@ -0,0 +1,22 @@
+name: Dependabot
+
+on:
+  pull_request:
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Approve Dependabot PR
+        uses: octokit/[email protected]
+        with:
+          route: POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews
+          owner: ${{ github.event.repository.owner.login }}
+          repo: ${{ github.event.repository.name }}
+          pull_number: ${{ github.event.pull_request.number }}
+          event: APPROVE
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml → .github/workflows/post-release.yml

@@ -1,12 +1,12 @@
-name: Release
+name: Post Release
 
 on:
   push:
     tags: ["v*"]
 
 jobs:
   homebrew:
-    name: Bump Homebrew formula
+    name: Bump Homebrew Formula
     runs-on: ubuntu-latest
     steps:
       - uses: mislav/bump-homebrew-formula-action@v3

.prettierrc.json

@@ -0,0 +1 @@
+{}

pkg/dbmate/version.go

@@ -1,4 +1,4 @@
 package dbmate
 
 // Version of dbmate
-const Version = "2.29.0"
+const Version = "2.29.1"

typescript/package.json

@@ -1,5 +1,6 @@
 {
   "private": true,
+  "packageManager": "[email protected]",
   "scripts": {
     "clean": "rimraf dist packages/dbmate/dist",
     "lint": "eslint --report-unused-disable-directives --fix .",

typescript/packages/dbmate/package.json

@@ -15,7 +15,9 @@
     "schema",
     "sqlite"
   ],
-  "bin": "./dist/cli.js",
+  "bin": {
+    "dbmate": "dist/cli.js"
+  },
   "main": "./dist/index.js",
   "files": [
     "dist"

typescript/packages/template/package.json

@@ -3,6 +3,8 @@
   "version": "{{version}}",
   "description": "The {{jsOS}} {{jsArch}} binary for dbmate",
   "repository": "https://github.com/amacneil/dbmate",
+  "homepage": "https://github.com/amacneil/dbmate#readme",
+  "author": "Adrian Macneil",
   "license": "MIT",
   "preferUnplugged": true,
   "os": [

typescript/publish.ts

@@ -8,7 +8,18 @@ async function main() {
   );
 
   for (const pkg of packages) {
-    await exec("npm", ["publish", "--access", "public", pkg]);
+    // Unset NODE_AUTH_TOKEN to avoid conflicts with OIDC trusted publishing
+    delete process.env.NODE_AUTH_TOKEN;
+    await exec("corepack", ["npm", "--version"]);
+    await exec("corepack", [
+      "npm",
+      "publish",
+      "--dry-run",
+      "--provenance",
+      "--access",
+      "public",
+      pkg,
+    ]);
   }
 }