Skip to content

fix: Node 24 + OIDC Trusted Publishing#4

Merged
y1o1 merged 1 commit into
developfrom
fix/trusted-publisher-oidc
Apr 14, 2026
Merged

fix: Node 24 + OIDC Trusted Publishing#4
y1o1 merged 1 commit into
developfrom
fix/trusted-publisher-oidc

Conversation

@y1o1
Copy link
Copy Markdown
Contributor

@y1o1 y1o1 commented Apr 14, 2026

Summary

  • Upgrade Node.js 22 → 24 across all workflows (CI + release)
  • Node 24 ships npm 11.x+ with native OIDC Trusted Publishing support
  • Remove NODE_AUTH_TOKEN / NPM_TOKEN secret — OIDC handles npm auth automatically via id-token: write permission

Context

Release workflows were failing with ENEEDAUTH because NPM_TOKEN secret was not set. With Trusted Publishers configured on npm, OIDC authentication is the correct approach.

Test plan

  • CI should pass with Node 24
  • Release workflow should publish via OIDC (verify on next tag push)

🤖 Generated with Claude Code

@y1o1 @claude
fix: upgrade Node to 24, use OIDC Trusted Publishing (no NPM_TOKEN)
f811039 
- Upgrade Node.js from 22 to 24 across all workflows (CI + release)
- Node 24 ships npm 11.x+ with OIDC Trusted Publishing support
- Remove NODE_AUTH_TOKEN secret reference — OIDC handles auth automatically

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 14, 2026 12:50
@y1o1 y1o1 merged commit d0b791f into develop Apr 14, 2026
3 checks passed
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates GitHub Actions workflows to use Node.js 24 and switches npm publishing authentication from a secret-based token to OIDC Trusted Publishing, aligning releases with npm’s recommended GitHub Actions auth flow.

Changes:

  • Bump Node.js version from 22 to 24 in CI and release workflows.
  • Remove NODE_AUTH_TOKEN / NPM_TOKEN usage from the npm publish step to rely on OIDC (id-token: write).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/release.yml Node 24 upgrade; removes token-based publish env in favor of OIDC permissions.
.github/workflows/ci.yml Node 24 upgrade for CI execution.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment on lines 69 to 71
- name: Publish
if: steps.npm_check.outputs.skip != 'true'
run: pnpm publish --access public --no-git-checks --provenance
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description states we’re relying on npm 11’s native OIDC Trusted Publishing support, but the workflow still publishes via pnpm publish. If pnpm’s publisher path doesn’t implement npm’s OIDC token exchange, this may still fail with ENEEDAUTH even on Node 24. Consider switching this step to npm publish --provenance ... (keeping pnpm for install/build), or document/verify that pnpm publish supports npm Trusted Publishing OIDC in GitHub Actions.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@y1o1