@skilbjo/config-rc 1.0.25 → 1.0.26

package/.github/workflows/pr.yml

@@ -9,13 +9,15 @@ defaults:
   run:
     shell: bash
 
-permissions:
-  pull-requests: write
-
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    if: github.event.pull_request.head.repo.full_name == github.repository # Security: Only run on PRs from the same repository
+    permissions:
+      contents: read # Needed for checkout and npm install
+      pull-requests: read # Needed to read PR information
+
     steps:
       - uses: actions/checkout@v5
         with:
@@ -31,10 +33,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - run: make ci
-        env:
-          GITHUB_TOKEN: ${{ secrets.READ_ONLY_PAT }}
-          NPM_TOKEN: ${{ secrets.READ_ONLY_PAT }}
-          NODE_AUTH_TOKEN: ${{ secrets.READ_ONLY_PAT }}
 
       - name: Set up NPM authentication for dry release
         run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.ACTIONS_TOKEN }}" >> ~/.npmrc
@@ -57,7 +55,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-test
     timeout-minutes: 2
+    permissions:
+      pull-requests: write
     if: ${{ github.actor == 'dependabot[bot]' }}
+
     steps:
       - uses: dependabot/fetch-metadata@v2.4.0
         with:

package/.github/workflows/release.yml

@@ -15,6 +15,7 @@ jobs:
   publish-artifact:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    if: github.repository == 'skilbjo/config-rc' # Security: Only run on pushes to the main repository
     permissions:
       packages: write
       id-token: write  # Required for npm provenance generation
@@ -34,10 +35,6 @@ jobs:
           node-version-file: .nvmrc
           cache: npm
 
-      - run: npm ci
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - run: make ci
 
       - uses: cycjimmy/semantic-release-action@v4
@@ -63,13 +60,10 @@ jobs:
         if: steps.semantic.outputs.new_release_published == 'true'
         run: |
           # npm --no-git-tag-version version ${{ steps.semantic.outputs.new_release_version }}
-          jq 'del(.publishConfig) | . + { publishConfig: { registry: "https://registry.npmjs.org/", "access": "public", "provenance": true } }' package.json >package2.json && mv package2.json package.json
-          # Ensure npm provenance is enabled
-          npm config set provenance true
+          npm run prepare-npm
 
       - name: Publish to NPM
         if: steps.semantic.outputs.new_release_published == 'true'
-        uses: JS-DevTools/npm-publish@v3
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
-          access: public
+        run: |
+          npm install -g npm@latest # Ensure npm 11.5.1+ for trusted publishing
+          npm publish

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [1.0.26](https://github.com/skilbjo/config-rc/compare/v1.0.25...v1.0.26) (2025-08-30)
+
+
+### Bug Fixes
+
+* trusted publishing with no token ([98bfa61](https://github.com/skilbjo/config-rc/commit/98bfa611e031e9fcf6c9a1b6363354552ddde513))
+
 ## [1.0.25](https://github.com/skilbjo/config-rc/compare/v1.0.24...v1.0.25) (2025-08-29)
 
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package",
   "name": "@skilbjo/config-rc",
-  "version": "1.0.25",
+  "version": "1.0.26",
   "description": "eslint, prettier, & tsconfig config",
   "main": "index.js",
   "private": false,
@@ -14,7 +14,8 @@
     "eslint": "eslint .",
     "lint": "npm run eslint",
     "depcheck": "depcheck",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "prepare-npm": "jq 'del(.publishConfig) | . + { publishConfig: { registry: \"https://registry.npmjs.org/\", access: \"public\", provenance: true } }' package.json >package2.json && mv package2.json package.json"
   },
   "keywords": [
     "eslint",