Fix OIDC setup for npm publish#102
Merged
Merged
Conversation
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the main release workflow to publish to npm using npm’s OIDC Trusted Publishing instead of a long-lived NPM_TOKEN, and adds provenance signing for published artifacts.
Changes:
- Adds
permissions: id-token: writeso the workflow can request an OIDC token. - Removes the
NODE_AUTH_TOKEN/secrets.NPM_TOKENpublish-time secret usage. - Publishes with
npm publish --provenanceto attach cryptographic provenance.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
higuptabolt
approved these changes
Jul 6, 2026
This was referenced Jul 6, 2026
SanthoshCharanBolt
added a commit
that referenced
this pull request
Jul 6, 2026
### Description While verifying the OIDC/Trusted Publishing fix from #102, a test publish landed `0.9.10` on npm from an untagged, off-`main` commit (see #103, closed). `main`'s `package.json` is still at `0.9.9`. Without this fix, the next release-triggering commit to `main` would run `yarn release --ci`, compute the next version as `0.9.10` again (already published), and fail — npm rejects republishing an existing version. This bumps `main` to `0.9.10` so the next real release correctly computes `0.9.11`+. ### Background on why `main` was broken Versions `0.9.4`–`0.9.9` were bumped and tagged on `main` via `chore: release` commits, but every one of those publishes failed with a 404 (`npm error 404 Not Found - PUT .../@BoltPay%2freact-native`), because npm Trusted Publishing was never configured for this package. That's now fixed: - #102 corrected the workflow (`id-token: write`, correct registry URL, OIDC-based auth, `--provenance`) - A Trusted Publisher entry was added on npmjs.com for `boltapp/bolt-react-native-sdk` + `main-release.yml` - Verified working end-to-end via a throwaway branch/PR (#103, closed) — publish succeeded with a signed provenance attestation ### Security Review - [x] I have considered and reviewed security implications of this PR and included the summary below. #### Security Impact Summary Version-number-only change; no application code or production behavior affected. **Reviewer choices:** None.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The release workflow published to npm using a static expired
NPM_TOKENsecret, which have broken publishing. This PR switches to npm's OIDC-based trusted publishing: addsid-token: writepermission, fixes the registry URL, drops theNODE_AUTH_TOKEN/NPM_TOKENsecret, and publishes with--provenanceso the package is cryptographically linked back to this source and workflow run.Verified by reading the final workflow diff against npm's trusted-publishing/OIDC requirements; no local run possible since publish only fires on a version bump to
main.Security Review
Important
A security review is required for every PR in this repository to comply with PCI requirements.
Human reviewer only: read the Security Impact Summary below, then check the box when satisfied.
Security Impact Summary
Removes the long-lived
NPM_TOKENsecret from the publish step in favor of short-lived OIDC tokens, reducing the blast radius of a leaked static credential.Reviewer choices: None.
Agent / CI checklist (for AI-assisted or stacked PRs)
main; verified by inspection against npm's OIDC trusted-publishing requirementsTest plan
mainand confirm the release workflow runs and publishes withoutNPM_TOKEN