chore(ci): switch publish workflow to npm OIDC trusted publishing#61
Merged
Conversation
Drops the rotating NPM_TOKEN secret in favor of npm's OIDC trusted-publisher flow. The id-token: write permission was already declared on this job; this PR completes the swap by removing NODE_AUTH_TOKEN (no longer needed) and adding --provenance so each published version carries a signed attestation back to this workflow + tag. Trusted publisher must be configured at npmjs.com side first (Settings > Trusted Publishers > GitHub Actions, org=tangle-network, repo=agent-integrations, workflow=publish.yml) — completed before this PR landed. Fixes the E404-on-PUT failure mode that has blocked v0.29.0, v0.30.0, and v0.31.0 publishes.
tangletools
approved these changes
May 31, 2026
tangletools
left a comment
Contributor
There was a problem hiding this comment.
OIDC switch LGTM as tangletools. Removes the rotating secret, adds signed provenance, prereq (trusted publisher at npmjs.com) confirmed by author. Unblocks the 3 stuck releases.
tangletools
added a commit
that referenced
this pull request
Jun 1, 2026
Drop NPM_TOKEN env path, always pass --provenance, simplify error message to point at the trusted-publisher config. Mirrors the cleanup in tangle-network/agent-dev-container#1550 that flips publish-sandbox-sdk/-cli/hub-sdk to OIDC-only. Prerequisite: /package/@tangle-network/agent-integrations/access trusted publisher entry must be at PACKAGE level with workflow=publish.yml env=blank. The trusted-publisher entry from session-earlier #61 may still be there (it was reverted to NPM_TOKEN in #62 but the npm-side config is decoupled). If publish fails after merge, verify the entry exists at the package level. Co-authored-by: Drew Stone <hello@tangle.tools>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Drops the rotating
NPM_TOKENsecret in favor of npm's OIDC trusted-publisher flow.The
id-token: writepermission was already declared on this job; this PR completes the swap:NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}(no longer needed)--provenanceso each published version carries a signed attestation back to this workflow + tagPrerequisite
Trusted publisher configured at npmjs.com — Settings > Trusted Publishers > GitHub Actions:
tangle-networkagent-integrationspublish.yml(Configured by Drew before this PR.)
What this unblocks
Fixes the
E404-on-PUTfailure mode that has silently blocked v0.29.0, v0.30.0, and v0.31.0 publishes — the brokenNPM_TOKENno longer matters when OIDC handles auth.After merge:
gh workflow run publish.yml --ref v0.31.0should successfully publish 0.31.0 (with the 541 wave-2-6 adapters bundled). Tag retriggers were no-ops while auth was broken; they'll fire cleanly now.