Skip to content

feat: use npm trusted publishing (OIDC) for release job#1258

Merged
thebiglabasky merged 2 commits intomainfrom
feat/npm-trusted-publishing-release
Mar 13, 2026
Merged

feat: use npm trusted publishing (OIDC) for release job#1258
thebiglabasky merged 2 commits intomainfrom
feat/npm-trusted-publishing-release

Conversation

@thebiglabasky
Copy link
Contributor

@thebiglabasky thebiglabasky commented Mar 13, 2026

Summary

  • Removes NODE_AUTH_TOKEN from the release job — npm will authenticate via GitHub OIDC, same as the prerelease job
  • All npm publishing now uses trusted publishing — no long-lived tokens required
  • The NPM_TOKEN secret can be kept in GitHub as a break-glass fallback but is no longer referenced

Context

This completes the migration to npm trusted publishing started in #1257. The prerelease job has been running on OIDC successfully (7.6.1 / 7.6.2 published without issues).

The release job uses environment: production — the trusted publisher on npmjs.com is configured with a blank environment field, which acts as a wildcard matching all environments.

What changes

Job Before After
prerelease OIDC (since #1257) OIDC (unchanged)
release NPM_TOKEN OIDC
release-canary NPM_TOKEN NPM_TOKEN (unchanged, different workflow file)

Rollback plan

Revert this commit (adds two lines back). The NPM_TOKEN secret remains in GitHub. Trusted publisher config on npmjs.com doesn't interfere with token auth.

Risks

  • The production environment on the release job adds an environment claim to the OIDC token. The blank environment field on npmjs.com should match regardless, but this is the first time it's tested with a named environment. If it fails, rollback is a one-line revert.

Test plan

  • Prerelease OIDC proven in production (7.6.1, 7.6.2)
  • Release job publishes successfully via OIDC
  • Both packages appear on npmjs.com with provenance badge

🤖 Generated with Claude Code

thebiglabasky and others added 2 commits March 13, 2026 17:31
@thebiglabasky @claude
feat: use npm trusted publishing (OIDC) for release job
32cc484 
Removes NODE_AUTH_TOKEN from the release job. All npm publishing
now uses GitHub OIDC — no long-lived tokens required.

The prerelease job was switched to OIDC in the previous PR and
has been proven in production (7.6.1 / 7.6.2 published successfully).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thebiglabasky @claude
docs: document npm trusted publishing and canary token distinction
a874bbe 
Clarifies that release.yml uses OIDC (no token rotation needed)
while release-canary.yml still uses NPM_TOKEN.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@thebiglabasky thebiglabasky enabled auto-merge (squash) March 13, 2026 16:38
@thebiglabasky thebiglabasky merged commit 19b501b into main Mar 13, 2026
3 checks passed
@thebiglabasky thebiglabasky deleted the feat/npm-trusted-publishing-release branch March 13, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelHogers MichaelHogers MichaelHogers approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thebiglabasky @MichaelHogers