Skip to content

fix: use OIDC trusted publishing instead of npm token for releases#1031

Merged
rfgamaral merged 1 commit intomainfrom
ricardo/fix-oidc-release-workflow
Apr 8, 2026
Merged

fix: use OIDC trusted publishing instead of npm token for releases#1031
rfgamaral merged 1 commit intomainfrom
ricardo/fix-oidc-release-workflow

Conversation

@rfgamaral
Copy link
Copy Markdown
Member

@rfgamaral rfgamaral commented Apr 8, 2026

Short description

The release workflow was using registry-url in setup-node, which overwrote the repo's .npmrc and required an NPM_TOKEN for authentication. This broke OIDC trusted publishing, which PR #1026 "fixed" by adding the token back. That was the wrong direction: the token is unnecessary when OIDC is configured correctly.

This PR removes registry-url from the initial setup-node step so the repo .npmrc is preserved and OIDC handles npm authentication without a token.

The workflow was also aligned with Typist's release workflow: package-published output from semantic-release instead of tag-diff detection, node_modules caching, explicit build step, consistent step naming, and GH_PACKAGES_TOKEN for GitHub Packages publishing. One difference from Typist: Reactist keeps the GitHub App token (create-github-app-token) instead of GH_REPO_TOKEN, because Reactist has a branch ruleset on main that requires the App as a bypass actor for semantic-release to push release commits. Typist has no such ruleset, but would break if one were added. This is something we should bring back to Typist.

Pre-merge checklist

  • Update npm trusted publisher config to reference publish-package-release.yml (was release.yml)

@rfgamaral rfgamaral self-assigned this Apr 8, 2026
@rfgamaral rfgamaral added the 👀 Show PR Used for PRs that need a review, but can be merged when CI is green. label Apr 8, 2026
doistbot
doistbot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@doistbot doistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR updates the release workflow to rely on OIDC trusted publishing rather than an npm token while cleanly aligning the process with Typist's established setup. These adjustments improve the security and consistency of the deployment pipeline by eliminating unnecessary tokens and standardizing the steps. There are just a few details to address to ensure everything runs smoothly, including coordinating the workflow file rename with the npm trusted publisher configuration, incorporating patch files into the dependency cache key to avoid stale builds, and guarding $GITHUB_OUTPUT references in the release configuration so local dry runs do not break.

Share FeedbackReview Logs

@rfgamaral
fix: use OIDC trusted publishing instead of npm token for releases
6cb58bf 
Remove registry-url from setup-node so the repo .npmrc is preserved,
enabling OIDC authentication for npm publishing. Remove NODE_AUTH_TOKEN
and the NPM_TOKEN secret dependency.

Also align the release workflow with the Typist reference implementation:
use package-published output from semantic-release instead of tag-diff
detection, add node_modules caching, explicit build step, and consistent
step naming.
@rfgamaral rfgamaral force-pushed the ricardo/fix-oidc-release-workflow branch from 0a70266 to 6cb58bf Compare April 8, 2026 07:08
@rfgamaral rfgamaral merged commit e15f898 into main Apr 8, 2026
5 of 6 checks passed
@rfgamaral rfgamaral deleted the ricardo/fix-oidc-release-workflow branch April 8, 2026 07:21
@rfgamaral rfgamaral requested review from a team and scottlovegrove and removed request for a team April 8, 2026 07:21
doist-release-bot bot pushed a commit that referenced this pull request Apr 8, 2026
@doistbot
chore(release): 30.1.4 [skip ci]
183da7f 
## [30.1.4](v30.1.3...v30.1.4) (2026-04-08)

### Bug Fixes

* use OIDC trusted publishing instead of npm token for releases ([#1031](#1031)) ([e15f898](e15f898))
@doist-release-bot
Copy link
Copy Markdown
Contributor

doist-release-bot bot commented Apr 8, 2026

🎉 This PR is included in version 30.1.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@doist-release-bot doist-release-bot bot added the Released PRs that have been merged and released label Apr 8, 2026
@rfgamaral rfgamaral mentioned this pull request Apr 8, 2026
Merged
1 task
scottlovegrove
scottlovegrove reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@scottlovegrove scottlovegrove left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@henningmu
Copy link
Copy Markdown
Contributor

henningmu commented Apr 8, 2026

Nice one, thank you 🙌

@rfgamaral rfgamaral mentioned this pull request Apr 8, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scottlovegrove scottlovegrove scottlovegrove left review comments

@doistbot doistbot doistbot left review comments

Assignees

@rfgamaral rfgamaral

Labels

Released PRs that have been merged and released 👀 Show PR Used for PRs that need a review, but can be merged when CI is green.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rfgamaral @henningmu @scottlovegrove @doistbot