Migrate to npm Trusted Publishing

[AtofStryker]

Why migrate to Trusted Publishing?

As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).

Benefits:

• Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
• No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
• Automatic Provenance Attestation: Provides better audit trails and security transparency
• Simplified Security Model: Reduces attack surface by eliminating persistent credentials

Implementation

Update semantic-release

Update semantic-release from 24.2.7 to 25.0.1, which adds support for trusted publishing. See the release notes for details.

Configure Trusted Publishing

1. Set up npm Trusted Publishing in the npm dashboard for @cypress scope packages
2. Update the GitHub Actions workflow to use OIDC instead of NPM_TOKEN secret
3. Remove the NPM_TOKEN secret from repository settings once migration is complete

Reference

• npm Trusted Publishing documentation

Acceptance Criteria

• semantic-release updated to 25.0.1
• npm Trusted Publishing configured for this repository
• GitHub Actions workflow updated to use OIDC
• NPM_TOKEN secret removed from repository
• Successful test release using trusted publishing