Skip to content

codemod/publish-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Publish Codemod Action

A GitHub Action to publish codemods to the Codemod registry using OIDC authentication.

Features

  • No secrets required: Uses GitHub Actions OIDC tokens for authentication
  • Secure: No API keys to manage or rotate
  • Simple: Just add the action to your workflow

Prerequisites

Before using this action, you must configure a trusted publisher for your package:

  1. Go to codemod.com and sign in
  2. Navigate to API Keys in your dashboard
  3. Under Trusted Publishers, click Add Trusted Publisher
  4. Select your package and enter your GitHub repository details
  5. (Optional) Add restrictions for workflow path, environment, or ref pattern

Usage

name: Publish Codemod
on:
  release:
    types: [published]

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Publish codemod
        uses: codemod/publish-action@v1

Inputs

Input Description Required Default
path Path to the codemod directory No .
registry Registry URL No https://codemod.com

Examples

Publish on Release

name: Publish Codemod
on:
  release:
    types: [published]

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: codemod/publish-action@v1

Publish from Subdirectory

name: Publish Codemod
on:
  push:
    branches: [main]
    paths:
      - 'codemods/my-codemod/**'

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: codemod/publish-action@v1
        with:
          path: codemods/my-codemod

Publish with Environment Protection

For additional security, you can use GitHub Environments:

name: Publish Codemod
on:
  release:
    types: [published]

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    environment: production  # Requires environment approval
    steps:
      - uses: actions/checkout@v4
      - uses: codemod/publish-action@v1

Then configure the trusted publisher with environment: production restriction.

Security

This action uses OpenID Connect (OIDC) to authenticate with the Codemod registry. When GitHub Actions runs your workflow, it can request a short-lived OIDC token that proves the workflow's identity. The Codemod registry verifies this token and checks it against your configured trusted publishers.

Benefits:

  • No long-lived secrets to manage
  • Tokens are short-lived (~5 minutes)
  • Fine-grained control via trusted publisher restrictions
  • Full audit trail of publishes

Troubleshooting

"No trusted publisher found"

Make sure you've configured a trusted publisher for your package that matches:

  • Repository owner (organization or username)
  • Repository name
  • Any configured restrictions (workflow path, environment, ref pattern)

"Permission denied"

Ensure your workflow has the required permissions:

permissions:
  id-token: write  # Required for OIDC token
  contents: read   # Required to checkout code

Token errors

The OIDC token audience must match the registry URL. If using a custom registry, make sure the registry input matches your trusted publisher configuration.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published