Skip to content

fix: switch npm publish to OIDC trusted publishing#638

Merged
kovtcharov merged 2 commits intomainfrom
kalin/trusted-publishing
Mar 27, 2026
Merged

fix: switch npm publish to OIDC trusted publishing#638
kovtcharov merged 2 commits intomainfrom
kalin/trusted-publishing

Conversation

@kovtcharov
Copy link
Copy Markdown
Collaborator

@kovtcharov kovtcharov commented Mar 27, 2026

Summary

  • Remove NPM_TOKEN secret, use OIDC trusted publishing instead
  • Bump Node to 22 for npm 11.5.1+ (required for trusted publishing)
  • Bump version to 0.17.1-rc.1 to test trusted publishing pipeline

Context

The npm publish workflow was failing with E403 because it required 2FA/OTP. Trusted publishing via OIDC eliminates the need for stored tokens entirely — GitHub Actions authenticates directly with npm using short-lived OIDC credentials.

Trusted publisher has been configured on npmjs.com for this workflow + environment.

Test plan

  • Merge this PR
  • Tag v0.17.1-rc.1 and push to trigger the publish workflow
  • Verify @amd-gaia/agent-ui@0.17.1-rc.1 appears on npm

@kovtcharov
fix: switch npm publish to OIDC trusted publishing and bump to v0.17.…
c822646 
…1-rc.1

- Remove NPM_TOKEN secret, use OIDC provenance instead
- Bump Node to 22 for npm 11.5.1+ (required for trusted publishing)
- Bump version to 0.17.1-rc.1 to test trusted publishing pipeline
@github-actions github-actions Bot added the devops DevOps/infrastructure changes label Mar 27, 2026
@kovtcharov
fix: add --refresh to uv pip install to find newly published versions
68733a2 
Without --refresh, uv uses a cached package index which may not
include recently published versions, causing install failures for
new users running gaia-ui right after a release.
@kovtcharov kovtcharov enabled auto-merge March 27, 2026 22:25
@kovtcharov kovtcharov added this pull request to the merge queue Mar 27, 2026
Merged via the queue into main with commit 83a4db1 Mar 27, 2026
24 checks passed
@kovtcharov kovtcharov deleted the kalin/trusted-publishing branch March 27, 2026 22:25
@kovtcharov kovtcharov mentioned this pull request Mar 27, 2026
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Mar 27, 2026
@kovtcharov
fix: remove registry-url to enable OIDC trusted publishing (#639)
334b011 
## Summary
- Remove `registry-url` from `setup-node` in the publish workflow
- `setup-node` with `registry-url` creates an `.npmrc` that sets
`NODE_AUTH_TOKEN`, which overrides OIDC authentication and causes E404
on trusted publishing

## Context
Follow-up to #638. Trusted publishing was configured but npm publish
kept failing with E404 because the `.npmrc` token was taking precedence
over OIDC.
@itomek itomek mentioned this pull request Mar 31, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kovtcharov-amd kovtcharov-amd kovtcharov-amd approved these changes

Assignees

No one assigned

Labels

devops DevOps/infrastructure changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kovtcharov @kovtcharov-amd