Skip to content

fix: OIDC npm publishing#23

Merged
mattcosta7 merged 1 commit intomainfrom
fix-browser-tests
Feb 19, 2026
Merged

fix: OIDC npm publishing#23
mattcosta7 merged 1 commit intomainfrom
fix-browser-tests

Conversation

@mattcosta7
Copy link
Copy Markdown
Member

@mattcosta7 mattcosta7 commented Feb 19, 2026

Changes

  • Add publishConfig with access: public and registry to package.json (required for scoped packages)
  • Use NPM_CONFIG_PROVENANCE: true env var instead of --provenance CLI flag
  • Set NPM_TOKEN: '' to enable OIDC token exchange in changesets action
  • Add npm update -g npm step for latest OIDC support
  • Add concurrency group to prevent parallel release runs

Previous publish attempts failed with E404 because:

  1. Missing publishConfig.access: public for the scoped @github-ui package
  2. --provenance CLI flag wasn't propagating correctly through changesets
  3. OIDC token exchange needed explicit empty NPM_TOKEN

@mattcosta7
fix: OIDC npm publishing with publishConfig and provenance env var
e566b90 
- Add publishConfig with access: public and registry for scoped package
- Add NPM_CONFIG_PROVENANCE env var instead of --provenance CLI flag
- Set NPM_TOKEN to empty string for OIDC token exchange
- Add npm update step for latest npm OIDC support
- Add concurrency group to prevent parallel releases
Copilot AI review requested due to automatic review settings February 19, 2026 21:11
@mattcosta7 mattcosta7 temporarily deployed to github-pages-preview February 19, 2026 21:12 — with GitHub Actions Inactive
@mattcosta7 mattcosta7 merged commit c57d15d into main Feb 19, 2026
17 of 18 checks passed
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release/publish configuration to enable successful npm publishing via OIDC (including provenance) for the scoped @github-ui package.

Changes:

  • Add publishConfig (registry + access: public) to the published package’s package.json.
  • Adjust the publish GitHub Action to use NPM_CONFIG_PROVENANCE and OIDC-oriented env vars, and update npm before publishing.
  • Add workflow concurrency to prevent parallel release runs on the same ref.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
packages/storybook-addon-performance-panel/package.json Adds publishConfig to ensure correct registry/access behavior when publishing the scoped package.
.github/workflows/publish.yml Adjusts the release workflow for OIDC/provenance publishing and adds concurrency control.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/storybook-addon-performance-panel/package.json
"directory": "packages/storybook-addon-performance-panel"
},
"publishConfig": {
"access": "public",
Comment thread .github/workflows/publish.yml
push:
branches: [main]

concurrency: ${{ github.workflow }}-${{ github.ref }}
Comment thread .github/workflows/publish.yml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ''
NPM_CONFIG_PROVENANCE: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

skip changeset

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattcosta7