Skip to content

Enable OIDC trusted publishing for npm packages #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

Enable OIDC trusted publishing for npm packages #28

merged 1 commit into from
Nov 5, 2025

Conversation

@andrew-scott-fischer
Copy link
Contributor

@andrew-scott-fischer andrew-scott-fischer commented Nov 5, 2025

Context

Configures the publish workflow to use OIDC authentication for npm publishing instead of long-lived NPM_TOKEN secrets. This provides better security and enables automatic provenance attestation.

Changes

  • Added publish environment to the workflow
  • Added id-token: write and contents: read permissions
  • Removed NPM_TOKEN configuration from workflow

Next Steps

After merging, trusted publishing must be configured on npm.com for each package:

  • Go to package settings → Publishing access → Trusted publishers
  • Add GitHub Actions as trusted publisher:
    • Organization: BitGo
    • Repository: BitGoWASM
    • Workflow: publish.yml
    • Environment: publish

References

Ticket: VL-3686

@andrew-scott-fischer
ci: enable OIDC trusted publishing for npm
143ecc3 
Configure GitHub Actions workflow to use OIDC authentication instead of
NPM_TOKEN for publishing packages. This provides better security by
eliminating long-lived secrets and enables automatic provenance attestation.

Changes:
- Add publish environment and id-token: write permission
- Remove NPM_TOKEN from workflow configuration
- Keep GITHUB_TOKEN for git operations

Ticket: VL-3686
@andrew-scott-fischer andrew-scott-fischer requested a review from a team as a code owner November 5, 2025 20:07
@lcovar lcovar merged commit 6e520d3 into master Nov 5, 2025
1 check passed
@lcovar lcovar deleted the VL-3686-enable-oidc-trusted-publishing branch November 5, 2025 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcovar lcovar lcovar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrew-scott-fischer @lcovar