Skip to content

Migrate from NPM token to OIDC authentication (v4) #1250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
developerkunal merged 3 commits into from
Nov 19, 2025
Merged

Migrate from NPM token to OIDC authentication (v4) #1250

developerkunal merged 3 commits into from
Nov 19, 2025

Conversation

@developerkunal
Copy link
Contributor

@developerkunal developerkunal commented Nov 18, 2025

Changes

This PR migrates the npm publishing workflow from static token-based authentication to OIDC (OpenID Connect) authentication for the v4 branch.

What's changing:

  • Removed npm-token secret requirement from all workflows
  • Added permissions: id-token: write and contents: write to the release job in npm-release.yml
  • Removed NODE_AUTH_TOKEN environment variable from the npm publish step
  • Set make_latest: false in release-create action to prevent v4 releases from being marked as "latest"
  • Updated softprops/action-gh-release to v2.4.2 (pinned to commit hash)
  • No changes to npm or yarn versions - using pre-installed npm 10.8.2 on ubuntu-latest runner

Why this is important:

  • npm is deprecating long-lived authentication tokens in mid-November 2025
  • OIDC provides better security through short-lived tokens automatically issued by GitHub Actions
  • Eliminates need to manage and rotate NPM_TOKEN secret
  • Ensures v4 releases won't be marked as "latest" (v5 should be latest)

Files changed:

  • .github/workflows/npm-release.yml - Added permissions, removed npm-token secret
  • .github/workflows/release.yml - Removed npm-token from secrets
  • .github/actions/npm-publish/action.yml - Removed npm-token input and NODE_AUTH_TOKEN env var
  • .github/actions/release-create/action.yml - Added make_latest: false, updated to v2.4.2

References

Testing

⚠️ IMPORTANT: This uses the same npmjs.com trusted publishing configuration as the master branch

The trusted publishing configuration on npmjs.com should already be set up from PR #1249. The same OIDC setup works for both branches since they use the same workflow file (release.yml) and environment (release).

Testing approach:

  • After merge, trigger a test release with an alpha version from the v4 branch
  • Verify the workflow completes successfully with OIDC authentication
  • Verify the release is NOT marked as "latest" on GitHub
  • Check that provenance information appears on the npm package page

Checklist

@developerkunal
Migrate from NPM token to OIDC authentication for v4
a50547d 
- Remove npm-token secret requirement from workflows
- Add permissions block (contents: write, id-token: write) to release job
- Remove NODE_AUTH_TOKEN environment variable from npm publish step
- Set make_latest: false for GitHub releases to prevent v4 releases from being marked as latest
- Update softprops/action-gh-release to v2.4.2
- Keep registry-url configuration for OIDC authentication
@developerkunal developerkunal requested a review from a team as a code owner November 18, 2025 06:21
@developerkunal
Copy link
Contributor Author

developerkunal commented Nov 18, 2025

@claude

@developerkunal
Update test workflow to run on v4 branch
83560ee 
- Add v4 to pull_request and push branch triggers
- Update cancel-in-progress to not cancel for both master and v4 branches
@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025
edited
Loading

Claude finished @developerkunal's task —— View job

PR Review Progress

  • Read PR diff
  • Read project context (AGENTS.md not found, proceeding without it)
  • Perform code quality review
  • Perform security review
  • Perform performance review
  • Provide inline feedback
  • Post overall assessment

Overall Assessment

❌ This PR has a critical configuration issue that will cause npm publish to fail. The workflow removes NODE_AUTH_TOKEN but leaves registry-url configured in actions/setup-node, which creates an .npmrc file expecting the token. When npm publish --provenance runs, it will encounter authentication failure. Remove the registry-url parameter from setup-node or explicitly handle the .npmrc file before publishing.

Job Run | Branch: v4-migrate-npm-oidc

github-actions[bot]
github-actions bot reviewed Nov 18, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 18, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 18, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 18, 2025
View reviewed changes
@developerkunal developerkunal merged commit e46ecdc into v4 Nov 19, 2025
3 checks passed
@developerkunal developerkunal deleted the v4-migrate-npm-oidc branch November 19, 2025 06:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@arpit-jn arpit-jn arpit-jn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@developerkunal @arpit-jn