build: switch npm to trusted publishing

author: Mohamed Bassem <me@mbassem.com> 2025-11-29 13:08:04 +0000
committer: Mohamed Bassem <me@mbassem.com> 2025-11-29 14:55:02 +0000
commit: 335a84bb59377371ecb2e6dc9702ce572d2e6cc6 (patch)
tree: eb4585fa43e29a996bec8174447171c1c2989c1a /.github/workflows
parent: 86a4b3966504507afd6c3adbb6a1246cafd39d83 (diff)
download: karakeep-335a84bb59377371ecb2e6dc9702ce572d2e6cc6.tar.zst
4 files changed, 16 insertions, 39 deletions
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index b40d99cc..ac4370cb 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -4,6 +4,11 @@ on:
     tags:
       # This is a glob pattern not a regex
       - 'cli/v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -19,6 +24,3 @@ jobs:
 
       - run: pnpm publish --access public --no-git-checks
         working-directory: apps/cli
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
-
diff --git a/.github/workflows/mcp.yml b/.github/workflows/mcp.yml
index b38cfa9a..afe3f357 100644
--- a/.github/workflows/mcp.yml
+++ b/.github/workflows/mcp.yml
@@ -3,7 +3,12 @@ on:
   push:
     tags:
       # This is a glob pattern not a regex
-      - 'mcp/v[0-9]+.[0-9]+.[0-9]+'
+      - "mcp/v[0-9]+.[0-9]+.[0-9]+"
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -19,6 +24,3 @@ jobs:
 
       - run: pnpm publish --access public --no-git-checks
         working-directory: apps/mcp
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
-
diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml
deleted file mode 100644
index d7728415..00000000
--- a/.github/workflows/opencode.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-name: opencode
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  opencode:
-    if: |
-      github.actor == 'MohamedBassem' && (
-        contains(github.event.comment.body, '/oc') ||
-        contains(github.event.comment.body, '/opencode')
-      )
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run opencode
-        uses: sst/opencode/github@latest
-        env:
-          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-        with:
-          model: openrouter/moonshotai/kimi-k2
diff --git a/.github/workflows/sdk.yml b/.github/workflows/sdk.yml
index d14057c8..678d7570 100644
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -4,6 +4,11 @@ on:
     tags:
       # This is a glob pattern not a regex
       - 'sdk/v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -19,6 +24,3 @@ jobs:
 
       - run: pnpm publish --access public --no-git-checks
         working-directory: packages/sdk
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
-
author	Mohamed Bassem <me@mbassem.com>	2025-11-29 13:08:04 +0000
committer	Mohamed Bassem <me@mbassem.com>	2025-11-29 14:55:02 +0000
commit	335a84bb59377371ecb2e6dc9702ce572d2e6cc6 (patch)
tree	eb4585fa43e29a996bec8174447171c1c2989c1a /.github/workflows
parent	86a4b3966504507afd6c3adbb6a1246cafd39d83 (diff)
download	karakeep-335a84bb59377371ecb2e6dc9702ce572d2e6cc6.tar.zst