Skip to content

chore: switch npm releases to trusted publishing (OIDC)#585

Merged
styfle merged 2 commits into
mainfrom
chore/npm-trusted-publishing
May 22, 2026
Merged

chore: switch npm releases to trusted publishing (OIDC)#585
styfle merged 2 commits into
mainfrom
chore/npm-trusted-publishing

Conversation

@jeffsee55
Copy link
Copy Markdown
Contributor

@jeffsee55 jeffsee55 commented May 21, 2026

Summary

  • Publish @vercel/nft from CI using npm trusted publishing (GitHub Actions OIDC) instead of the long-lived NPM_TOKEN_ELEVATED secret.
  • Run semantic-release on Node 22 to meet npm’s trusted publishing requirements (Node ≥ 22.14, npm ≥ 11.5.1).
  • Set an explicit repository.url in package.json so npm can verify the GitHub repo during OIDC publish.

Prerequisites (before merge / first release)

Configure a trusted publisher on npm for @vercel/nft:

  1. Package settings → Trusted publishing
  2. Provider: GitHub Actions
  3. Repository: vercel/nft
  4. Workflow filename: ci.yml

After the first successful OIDC publish, consider restricting package publishing access to disallow tokens.

Test plan

  • Trusted publisher configured on npmjs.com for workflow ci.yml
  • Merge to main and confirm semantic-release publishes without NPM_TOKEN
  • Verify published package includes provenance attestations

Made with Cursor

@jeffsee55 @cursoragent
chore: switch npm releases to trusted publishing (OIDC)
e194efc 
Remove long-lived NPM_TOKEN from CI and rely on GitHub Actions OIDC.
Run semantic-release on Node 22 to meet npm trusted publishing requirements.

Co-authored-by: Cursor <cursoragent@cursor.com>
@jeffsee55 jeffsee55 requested review from a team, icyJoseph, ijjk and styfle as code owners May 21, 2026 20:13
styfle
styfle reviewed May 22, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
styfle
styfle approved these changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@styfle styfle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but I don't have access to the link in your PR description to set this up

Package settings → Trusted publishing

@styfle styfle merged commit 1ebd2b1 into main May 22, 2026
26 of 27 checks passed
@styfle styfle deleted the chore/npm-trusted-publishing branch May 22, 2026 17:09
@styfle
Copy link
Copy Markdown
Member

styfle commented May 22, 2026

@jeffsee55 Its failing with no token specified

https://github.com/vercel/nft/actions/runs/26301501589/job/77427550877#step:12:57

@jeffsee55
Copy link
Copy Markdown
Contributor Author

jeffsee55 commented May 22, 2026

@styfle I think this is the expected error until trusted publishing is enabled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@styfle styfle styfle approved these changes

@ijjk ijjk Awaiting requested review from ijjk ijjk is a code owner

@icyJoseph icyJoseph Awaiting requested review from icyJoseph icyJoseph is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffsee55 @styfle