From d03780a00231ef9e47487362dc2eaf2e1956abdd Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 19 Mar 2026 16:11:02 -0700 Subject: [PATCH] fix(ci): fix VERSION_BUMP scoping and remove unused NPM token from publish job Move VERSION_BUMP env var to the Version packages step where it is actually used, and remove it from Configure git where it was unused. Remove AWS credentials and NPM token fetch from the publish job since OIDC trusted publishing handles auth via id-token. --- .github/workflows/prod-release.yml | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml index 9a0aa091..19db770a 100644 --- a/.github/workflows/prod-release.yml +++ b/.github/workflows/prod-release.yml @@ -74,13 +74,14 @@ jobs: - name: Configure git env: BRANCH: ${{ github.event.inputs.branch }} - VERSION_BUMP: ${{ github.event.inputs.version_bump }} run: | git config --global user.name "aws-crypto-tools-ci-bot" git config --global user.email "no-reply@noemail.local" git checkout $BRANCH - name: Version packages + env: + VERSION_BUMP: ${{ github.event.inputs.version_bump }} run: | # Generate new version and CHANGELOG entry and push it npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} @@ -100,19 +101,6 @@ jobs: node-version: '22' registry-url: 'https://registry.npmjs.org' - - name: Configure AWS Credentials for Publish - uses: aws-actions/configure-aws-credentials@v5 - with: - aws-region: us-west-2 - role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2 - role-session-name: CI_Bot_Publish - - - name: Get NPM Token - uses: aws-actions/aws-secretsmanager-get-secrets@v2 - with: - secret-ids: npm/aws-crypto-tools-ci-bot/2FA - parse-json-secrets: true - # Ensure npm 11.5.1 or later is installed - name: Update npm run: npm install -g npm@latest