Skip to content
Eight Effect-native API SDKs are live.Explore the catalog
Distilled
Esc
navigateopen⌘Jpreview
On this page

Secure publishing

Tokenless npm releases with GitHub Actions and OIDC trusted publishers.

Every Distilled package publishes through an exact GitHub Actions workflow identity. npm accepts the short-lived OIDC assertion and long-lived publish tokens are disallowed.

No npm token 2FA enforced OIDC

Trust chain

Workflow requirements

  • GitHub-hosted runner
  • Node 24 and npm 11.5.1 or newer
  • permissions: id-token: write
  • Exact repository, publish.yml, and npm environment configured in npm
  • Package setting: Require 2FA and disallow tokens
  • Immutable commit pins for release actions

Release posture

The workflow typechecks, tests, builds, and publishes. Full spec regeneration remains a source-maintenance check because GitHub’s repository token intentionally cannot read sibling private spec repositories. This avoids introducing a cross-repository personal access token merely to publish already-reviewed generated code.

Read npm’s trusted publishing documentation.

Last updated on July 15, 2026

Was this page helpful?