From f577742c04f7b6eaa8a37bd6c1ebceeffc45614d Mon Sep 17 00:00:00 2001 From: kite Date: Fri, 12 Jun 2026 20:02:52 +0800 Subject: [PATCH] ci: drop npm provenance flag incompatible with self-hosted runners Sigstore provenance verification only supports GitHub-hosted runners, causing E422 on publish. Remove --provenance and the unused id-token permission. --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b176633..e4c8935 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -84,7 +84,6 @@ jobs: image: node:20 permissions: contents: read - id-token: write steps: - uses: actions/checkout@v4 @@ -103,6 +102,6 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Publish to npm - run: npm publish --access public --provenance + run: npm publish --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}