Skip to content

chore: migrate npm publish to OIDC Trusted Publishing#28

Merged
khooihzhz merged 2 commits into
mainfrom
chore/npm-trusted-publishing
May 14, 2026
Merged

chore: migrate npm publish to OIDC Trusted Publishing#28
khooihzhz merged 2 commits into
mainfrom
chore/npm-trusted-publishing

Conversation

@khooihzhz
Copy link
Copy Markdown
Collaborator

@khooihzhz khooihzhz commented May 11, 2026
edited
Loading

Summary

  • Migrates npm publishing from long-lived NPM_TOKEN secret to npm Trusted Publishing (OIDC)
  • Bumps actions/setup-node from Node 20 to 24 so the bundled npm (11.x) already satisfies the >= 11.5.1 requirement for Trusted Publishing
  • Removes NODE_AUTH_TOKEN env block from the publish step
  • Authentication is now scoped to this repo + workflow combo via GitHub Actions OIDC; cannot be exercised from elsewhere even if repo write access leaks

Prerequisite (must complete before merge)

Trusted Publisher must be configured on all 7 packages on npmjs.com, otherwise the next release fails:

  • @coingecko/cg
  • @coingecko/cg-darwin-arm64, @coingecko/cg-darwin-x64
  • @coingecko/cg-linux-arm64, @coingecko/cg-linux-x64
  • @coingecko/cg-win32-arm64, @coingecko/cg-win32-x64

Settings per package: GitHub Actions / coingecko / coingecko-cli / release.yml / (no environment)

Test plan

  • Trusted Publisher configured on all 7 packages on npmjs.com
  • Tag next version (e.g. v1.1.4) after merge
  • Release workflow succeeds without NPM_TOKEN
  • npmjs.com shows GitHub Actions as the publisher for new versions
  • Provenance attestation still appears on published packages

Cleanup (post-verification, separate task)

  • Delete NPM_TOKEN from repo secrets
  • Revoke the Granular token on npmjs.com

🤖 Generated with Claude Code

@khooihzhz
chore: migrate npm publish to Trusted Publishing (OIDC)
29f700e 
Drops the long-lived NPM_TOKEN secret in favor of npm Trusted Publishing.
GitHub Actions OIDC tokens authenticate the publish, scoped to this
repo+workflow combo, so publish capability cannot be exercised from
elsewhere even if repo write access leaks.

- Add 'Upgrade npm' step so the CLI is >= 11.5.1 (setup-node@v6 ships
  npm 10.x, which doesn't support trusted publishing)
- Remove NODE_AUTH_TOKEN env from the publish step

Requires Trusted Publisher to be configured on all 7 packages on
npmjs.com before this merges, otherwise the next release fails.
@khooihzhz khooihzhz requested a review from a team May 11, 2026 09:24
@khooihzhz
ci: bump Node 20 to 24 and drop explicit npm upgrade
dd1bfd5 
Node 24 LTS ships npm 11.x natively, which already satisfies the
>= 11.5.1 requirement for Trusted Publishing. The 'Upgrade npm' step
becomes redundant.
@khooihzhz khooihzhz merged commit 789b9df into main May 14, 2026
3 checks passed
@khooihzhz khooihzhz deleted the chore/npm-trusted-publishing branch May 14, 2026 02:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weiyuan95 weiyuan95 weiyuan95 approved these changes

@jasonjul jasonjul jasonjul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@khooihzhz @weiyuan95 @jasonjul