# Publish the EventDock n8n community node to npm WITH PROVENANCE. # # n8n requires verified community nodes to be published via a GitHub Actions # workflow that attaches an npm provenance statement (sigstore). This proves # the published tarball was built from this repo at this commit. # # Setup (one-time, done by the npm package owner — NOT automated here): # 1. On npmjs.com → package Settings → "Publish access" → "Trusted Publishers" # → "Add a publisher" → GitHub Actions, with: # repository owner: eventdock # repository name: n8n-nodes-eventdock # workflow name: publish.yml # (Trusted Publishers means NO NPM_TOKEN secret is needed — OIDC is used.) # 2. Push a tag like `v0.1.0`, or run this workflow manually. # # This workflow is intentionally NOT triggered by code review; it only runs on # a version tag or manual dispatch. name: Publish to npm (with provenance) on: push: tags: - 'v*' workflow_dispatch: permissions: contents: read id-token: write # REQUIRED for npm provenance / OIDC trusted publishing jobs: publish: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20.x' registry-url: 'https://registry.npmjs.org' - name: Install dependencies # --ignore-scripts: isolated-vm (transitive devDep) fails its native build on # newer runner V8; it isn't needed to build or publish this package. run: npm ci --ignore-scripts - name: Build run: npm run build # Lint step removed 2026-07-03: ESLint v9 flat-config migration still pending # (see prepublishOnly commit). Lint locally; it is not a publish gate. # OIDC "Trusted Publisher" auth (no token, no 2FA). The npmjs account enforces # "require 2FA for writes", which granular/automation tokens hit as EOTP — so token # auth is a dead end here. Trusted Publishing authenticates the PUT via GitHub OIDC # (needs npm >= 11.5.1, hence the upgrade below) and still attaches provenance. # One-time setup on npmjs.com (Asaf): package n8n-nodes-eventdock -> Settings -> # Publish access -> Trusted Publishers -> add GitHub Actions: owner EventDock, # repo n8n-nodes-eventdock, workflow publish.yml. After that this runs with zero secrets. - name: Upgrade npm for OIDC publish auth run: npm install -g npm@latest - name: Publish with provenance (OIDC trusted publishing) run: npm publish --provenance --access public