Secure publishing
Tokenless npm releases with GitHub Actions and OIDC trusted publishers.
Every Distilled package publishes through an exact GitHub Actions workflow identity. npm accepts the short-lived OIDC assertion and long-lived publish tokens are disallowed.
No npm token 2FA enforced OIDCTrust chain
Workflow requirements
- GitHub-hosted runner
- Node 24 and npm 11.5.1 or newer
permissions: id-token: write- Exact repository,
publish.yml, andnpmenvironment configured in npm - Package setting: Require 2FA and disallow tokens
- Immutable commit pins for release actions
Release posture
The workflow typechecks, tests, builds, and publishes. Full spec regeneration remains a source-maintenance check because GitHub’s repository token intentionally cannot read sibling private spec repositories. This avoids introducing a cross-repository personal access token merely to publish already-reviewed generated code.