feat: upgrade npm CLI and use trusted publishing (OIDC) for prerelease#1257
Merged
thebiglabasky merged 3 commits intomainfrom Mar 13, 2026
Merged
feat: upgrade npm CLI and use trusted publishing (OIDC) for prerelease#1257thebiglabasky merged 3 commits intomainfrom
thebiglabasky merged 3 commits intomainfrom
Conversation
…port Node 20.x bundles npm ~10.x, but trusted publishing requires npm >= 11.5.1. This adds `npm install -g npm@latest` to both prerelease and release jobs as a preparatory step. Authentication is unchanged — still uses NPM_TOKEN. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Same npm upgrade step as release.yml for consistency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🎉 Experimental release successfully published on npm |
Removes NODE_AUTH_TOKEN from the prerelease job. npm will authenticate via GitHub OIDC token exchange instead of a long-lived token. The release job still uses NPM_TOKEN as a safety net. Trusted publishing is configured on npmjs.com for both 'checkly' and 'create-checkly' packages. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
thebiglabasky
changed the title
MichaelHogers
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
prereleaseandreleasejobs (Node 20.x bundles npm ~10.x, trusted publishing requires >= 11.5.1)NODE_AUTH_TOKENfrom the prerelease job only — npm will authenticate via GitHub OIDC token exchange instead of a long-lived tokenNPM_TOKENas a safety net until OIDC is proven in productionrelease-canary.ymlfor consistencyHow it works
NPM trusted publishing uses the same GitHub OIDC mechanism as AWS OIDC:
Trusted publishing has been configured on npmjs.com for both
checklyandcreate-checklypackages (org:checkly, repo:checkly-cli, workflow:release.yml).Docs: https://docs.npmjs.com/generating-provenance-statements
What changes per job
prereleaseNPM_TOKEN+ npm 10.xreleaseNPM_TOKEN+ npm 10.xNPM_TOKEN+ npm latest (unchanged auth)release-canaryNPM_TOKEN+ npm 10.xNPM_TOKEN+ npm latest (unchanged auth)Rollback plan
Revert the commit that removes
NODE_AUTH_TOKENfrom the prerelease job (one line). TheNPM_TOKENsecret remains in GitHub. The trusted publisher config on npmjs.com doesn't interfere with token auth.Risks
needs: prerelease) — no broken package reacheslatestTest plan
npm noticelines about OIDC)NPM_TOKEN(unchanged)🤖 Generated with Claude Code