Skip to content

chore: upgrade to Yarn 4.11.0 for npm trusted publisher support #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jkebinger merged 1 commit into from
Nov 20, 2025
Merged

chore: upgrade to Yarn 4.11.0 for npm trusted publisher support #21

jkebinger merged 1 commit into from
Nov 20, 2025

Conversation

@jkebinger
Copy link
Contributor

@jkebinger jkebinger commented Nov 20, 2025

Summary

  • Upgrades Yarn from 4.9.2 to 4.11.0 to enable npm trusted publisher support
  • Replaces npmAuthToken with npmPublishProvenance: true in .yarnrc.yml
  • Updates GitHub workflows to use Yarn 4.11.0
  • Removes --provenance flags from publish commands (now handled automatically by Yarn config)

Changes

This implements the same changes as ReforgeHQ/sdk-node#34 for the JavaScript SDK.

Yarn 4.11.0 is required for proper npm trusted publisher support with OIDC authentication. By setting npmPublishProvenance: true in the Yarn configuration, provenance attestations are now generated automatically without needing the --provenance CLI flag.

The workflow authenticates using GitHub's OIDC token (via the existing id-token: write permission) instead of stored authentication tokens, improving security for package publishing.

Test plan

  • Verify CI passes with the new Yarn version
  • Test publishing workflow (will be verified on merge to main)

🤖 Generated with Claude Code

@jkebinger @claude
chore: upgrade to Yarn 4.11.0 for npm trusted publisher support
d48cc08 
- Update packageManager to yarn@4.11.0 in package.json
- Replace npmAuthToken with npmPublishProvenance in .yarnrc.yml
- Update GitHub workflows to use Yarn 4.11.0
- Remove --provenance flags from publish commands (now handled by config)

This enables OIDC authentication for npm publishing with automatic
provenance attestation generation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
jdwyah
jdwyah approved these changes Nov 20, 2025
View reviewed changes
Copy link
Contributor

@jdwyah jdwyah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@jkebinger jkebinger merged commit 7b33452 into main Nov 20, 2025
1 check passed
@jkebinger jkebinger deleted the yarn-4.11.0-trusted-publisher branch November 20, 2025 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdwyah jdwyah jdwyah approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkebinger @jdwyah