Skip to content

fix: Correct timeline for npm OIDC publishing #1569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 29, 2025
Merged

fix: Correct timeline for npm OIDC publishing #1569

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b0aeb3
Correct timeline for npm OIDC publishing
Swimburger Oct 29, 2025
65e01e5
vale
Swimburger Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions fern/products/sdks/overview/typescript/publishing-to-npm.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ registry](https://www.npmjs.com/). After following the steps on this page,
you'll have a versioned package published on npm.

<Warning title="Already publishing to npm?">
If you're currently using token-based authentication, npmjs is deprecating long-lived tokens in early 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
If you're using token-based authentication, npmjs is deprecating long-lived tokens in mid-November 2025. See [Migrating from token-based to OpenID Connect (OIDC) publishing](#migrating-from-token-based-to-oidc-publishing) to upgrade to the more secure OIDC authentication.
</Warning>

<Frame>
Expand Down Expand Up @@ -113,7 +113,7 @@ groups:
Choose how you want to authenticate with npmjs when publishing.

<Warning>
**Starting in early 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
**Starting mid-November 2025**, npmjs.org is deprecating long-lived authentication tokens for publishing from CI/CD workflows. **OpenID Connect (OIDC) authentication is strongly recommended** for security.
</Warning>

<AccordionGroup>
Expand Down Expand Up @@ -190,7 +190,7 @@ OIDC-based publishing (also known as "trusted publishing") is the most secure wa
Common causes:
- Workflow filename doesn't match exactly (must be `ci.yml`)
- Trusted publisher configuration on npmjs.com doesn't match your repository settings
- Using self-hosted runners (not currently supported by npmjs.org)
- Using self-hosted runners (not supported by npmjs.org)

**Solution:** Double-check your trusted publisher configuration on npmjs.com matches your repository name and workflow filename exactly.

Expand All @@ -205,7 +205,7 @@ Provenance attestations aren't generated for packages published from private rep
<Accordion title="Token-based authentication (Legacy)">

<Warning>
**This method is being deprecated by npmjs.org in early 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
**This method is being deprecated by npmjs.org in mid-November 2025.** Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. [OIDC-based authentication is strongly recommended instead](#migrating-from-token-based-to-oidc-publishing).
</Warning>

<Steps>
Expand Down Expand Up @@ -266,7 +266,7 @@ Your SDK will automatically be published to npmjs when you create a GitHub relea

1. Create a GitHub release with a version tag (for example, `v1.0.0`)
1. The CI workflow will run automatically and publish to npm
1. View your package on npmjs.com to confirm the new version
1. View your package on npmjs.com to confirm the version

<Accordion title="Alternative: Manual workflow dispatch">

Expand Down Expand Up @@ -307,7 +307,7 @@ Add your `FERN_TOKEN` as a repository secret (run `fern token` to generate one),

## Migrating from token-based to OIDC publishing

If you're currently using token-based authentication and need to migrate to OIDC, follow these steps:
If you're using token-based authentication and need to migrate to OIDC, follow these steps:

### Why migrate to OIDC

Expand Down Expand Up @@ -522,15 +522,15 @@ After completing either migration path:
- Workflow filename doesn't match exactly (must be `ci.yml` with the `.yml` extension)
- Missing `id-token: write` permission in workflow
- npm CLI version is older than 11.5.1
- Using self-hosted runners (not currently supported)
- Using self-hosted runners (not supported)

**Solution:** Double-check your trusted publisher configuration on npmjs.com matches your actual workflow file name and verify all requirements are met.

</Accordion>

<Accordion title="Workflow still using NPM_TOKEN">

If your workflow continues using the old token-based authentication:
If your workflow continues using token-based authentication:

- Verify you've removed the `npm config set` line and the `env: NPM_TOKEN` block from the publish step
- Check that npm CLI version 11.5.1+ is installed (add the update npm step)
Expand Down