Skip to content

ci(release): adopt npm OIDC trusted publishing#658

Draft
0xisk wants to merge 1 commit into
mainfrom
ci/npm-oidc-trusted-publishing
Draft

ci(release): adopt npm OIDC trusted publishing#658
0xisk wants to merge 1 commit into
mainfrom
ci/npm-oidc-trusted-publishing

Conversation

@0xisk

@0xisk 0xisk commented Jul 3, 2026

Copy link
Copy Markdown
Member

What

Switches npm publishing to OIDC trusted publishing — no NPM_TOKEN.

  • Remove NODE_AUTH_TOKEN / NPM_TOKEN from the publish step; npm mints short-lived, repo-scoped credentials per run via the OIDC id-token (id-token: write was already set).
  • Ensure npm ≥ 11.5.1 (npm install -g npm@latest) — trusted publishing requires it, and the .nvmrc Node may bundle an older npm.
  • Keep provenance (NPM_CONFIG_PROVENANCE: true).

Result: no standing npm secret to rotate, no token expiry/scope failures, provenance on npm.

Notes

  • Independent of #657 (release automation + approval gate). Both touch release.yml but in different regions (job-level gate vs. publish-step auth), so they merge cleanly in either order.
  • Reference pattern: OpenZeppelin/openzeppelin-ui/.github/workflows/publish.yml.

Closes #560.

Drop NPM_TOKEN/NODE_AUTH_TOKEN and let npm mint short-lived, repo-scoped
credentials per run via the OIDC id-token (id-token: write was already set),
with provenance. Ensure npm >= 11.5.1, which trusted publishing requires.

Requires the package to be registered as a Trusted Publisher for this repo +
workflow on npmjs.org; publishing fails until that is configured.

Closes #560.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Adopt npm OIDC trusted publishing for releases

1 participant