Skip to content

Fix npm OIDC publish by removing setup-node registry config#10958

Merged
sestinj merged 1 commit intomainfrom
wt-7
Mar 1, 2026
Merged

Fix npm OIDC publish by removing setup-node registry config#10958
sestinj merged 1 commit intomainfrom
wt-7

Conversation

@sestinj
Copy link
Contributor

@sestinj sestinj commented Mar 1, 2026
edited by continue bot
Loading

Summary

  • Remove registry-url and always-auth from setup-node in both release workflows — these cause setup-node to set NODE_AUTH_TOKEN to the GitHub token, which npm uses instead of its native OIDC flow, resulting in Access token expired / 404 errors on publish
  • Switch beta workflow to OIDC trusted publishing (add id-token: write, --provenance, npm@latest, remove NPM_TOKEN usage)

Test plan

  • Re-run the stable release workflow and confirm npm publish --provenance succeeds via OIDC
  • Add beta-release.yml as a trusted publisher on npmjs.com for @continuedev/cli
  • Verify next beta release publishes successfully with OIDC
  • Remove NPM_TOKEN secret from repo after confirming both workflows work

🤖 Generated with Claude Code

Continue Tasks: ✅ 7 no changes — View all

Summary by cubic

Switch beta and stable release workflows to npm OIDC trusted publishing to fix auth failures during npm publish. Remove setup-node registry settings that injected a GitHub token, add id-token permissions, upgrade to npm@latest, and publish with provenance.

  • Bug Fixes

    • Removed setup-node registry-url and always-auth so npm uses OIDC instead of NODE_AUTH_TOKEN.
    • Dropped NPM_TOKEN usage; added permissions: id-token: write.
    • Installed npm@latest and used npm publish --provenance for beta.

  • Migration

    • Add beta-release.yml as a trusted publisher for @continuedev/cli on npm.
    • Re-run stable release and confirm OIDC publish works.
    • Remove the NPM_TOKEN secret after both workflows succeed.

Written for commit 36d82f7. Summary will update on new commits.

@sestinj @claude
Fix npm publish by removing setup-node registry config that blocks OIDC
36d82f7 
setup-node with registry-url sets NODE_AUTH_TOKEN to the GitHub token,
which npm uses instead of its OIDC flow, causing auth failures. Remove
registry-url/always-auth and switch beta workflow to OIDC too.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sestinj sestinj requested a review from a team as a code owner March 1, 2026 21:05
@sestinj sestinj requested review from Patrick-Erichsen and removed request for a team March 1, 2026 21:05
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Mar 1, 2026
@continue
Copy link
Contributor

continue bot commented Mar 1, 2026

Docs Review

No documentation updates are needed for this PR.

Reason: This PR contains internal CI/CD infrastructure changes to fix npm OIDC trusted publishing in the release workflows. These are purely DevOps changes that:

  • Fix authentication flow for npm package publishing
  • Remove conflicting setup-node registry configuration
  • Add proper OIDC permissions and provenance flags

These changes don't affect any user-facing functionality, CLI usage, installation instructions, or developer workflows. The changes are transparent to end users—the CLI will continue to work exactly as documented.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@sestinj sestinj merged commit 1c561f0 into main Mar 1, 2026
45 of 53 checks passed
@sestinj sestinj deleted the wt-7 branch March 1, 2026 21:25
@github-project-automation github-project-automation bot moved this from Todo to Done in Issues and PRs Mar 1, 2026
@github-actions github-actions bot locked and limited conversation to collaborators Mar 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Issues and PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sestinj