Skip to content

ci: switch npm publish to Trusted Publishing (OIDC) #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
baransu merged 1 commit into from
May 25, 2026
Merged

ci: switch npm publish to Trusted Publishing (OIDC) #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,15 @@ on:
types: [published]
# or it is called by another workflow
workflow_call:
secrets:
NPM_TOKEN:
required: true
jobs:
build:
runs-on: ubuntu-latest
# Required for npm Trusted Publishing (OIDC). Without `id-token: write`
# GitHub will not mint the OIDC token that npm exchanges for a
# short-lived publish credential.
permissions:
id-token: write
contents: read
# When invoked via `workflow_call`, `github.event_name` reflects the
# ROOT triggering event of the caller (e.g. `pull_request`), NOT
# `workflow_call` — so a `== 'workflow_call'` check never matches.
Expand All @@ -24,13 +27,11 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: "20.x"
node-version: "22"
registry-url: "https://registry.npmjs.org"
- name: Install dependencies
run: npm ci
- name: Publish package on NPM
run: npm publish
Comment on lines 36 to 37
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 npm publish may need --provenance flag for OIDC authentication

The PR removes NODE_AUTH_TOKEN from the npm publish step (npm-publish.yml:36-37) but does not add --provenance to the npm publish command. The actions/setup-node action with registry-url creates an .npmrc containing //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. Since NODE_AUTH_TOKEN is no longer set, the auth token will be empty.

npm Trusted Publishing historically requires npm publish --provenance to trigger the OIDC token exchange for authentication. Without this flag and without NODE_AUTH_TOKEN, there may be no valid authentication mechanism. However, npm's OIDC support has been evolving — newer npm versions (10.x+ with Node 22) may handle this differently. This should be verified against the current npm Trusted Publishing documentation and tested before merging.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
7 changes: 5 additions & 2 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,5 +90,8 @@ jobs:
publish-package:
needs: publish-release
uses: ./.github/workflows/npm-publish.yml
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# npm Trusted Publishing (OIDC) — no NPM_TOKEN secret needed.
# The called workflow declares `permissions: id-token: write` itself.
permissions:
id-token: write
contents: read
Comment on lines +95 to +97
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Workflow-level permissions caps id-token to none, blocking OIDC publishing via PR merge flow

The workflow-level permissions at .github/workflows/publish-release.yml:9-10 only specifies contents: write. Per GitHub Actions docs, when the permissions key is used, all unspecified permissions are set to none. This means id-token is none at the workflow level. Since workflow-level permissions act as a ceiling for all jobs, the publish-package job's permissions: id-token: write (line 95-96) cannot escalate beyond this — it remains none. Consequently, when npm-publish.yml is called via workflow_call, GitHub will not mint the OIDC token, and npm Trusted Publishing will fail with an authentication error. The fix is to add id-token: write to the top-level permissions block.

Prompt for agents 
The workflow-level `permissions` block at line 9-10 of publish-release.yml only specifies `contents: write`, which causes all other permissions (including `id-token`) to default to `none`. Job-level permissions cannot escalate beyond the workflow-level ceiling.

To fix this, add `id-token: write` to the top-level permissions block at lines 9-10:

permissions:
  contents: write
  id-token: write

This ensures the `publish-package` job (and the called `npm-publish.yml` workflow) can actually receive the `id-token: write` permission needed for OIDC-based npm Trusted Publishing.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Loading