Skip to content

Switch publish-npm to npm Trusted Publishers (OIDC) and remove npm token auth#106

Merged
jonrohan merged 2 commits into
mainfrom
copilot/update-publish-npm-job
Jun 30, 2026
Merged

Switch publish-npm to npm Trusted Publishers (OIDC) and remove npm token auth#106
jonrohan merged 2 commits into
mainfrom
copilot/update-publish-npm-job

Conversation

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This updates the npm release workflow to use npm Trusted Publishers (OIDC) instead of a long-lived npm_token, while leaving GitHub Packages publishing unchanged. The publish-npm job now aligns with npm provenance + OIDC requirements for modern npm clients.

  • publish-npm: OIDC-based npm publish

    • Removed NODE_AUTH_TOKEN / secrets.npm_token from the publish step.
    • Removed npm whoami (token-dependent precheck not compatible with tokenless trusted publishing).
    • Kept permissions.id-token: write unchanged for OIDC token exchange.
    • Preserved --provenance and --access public on publish.
  • npm client compatibility for trusted publishing

    • Updated global npm upgrade step from npm install -g npm to npm install -g npm@latest so the job uses an npm version that supports trusted publishing with provenance (11.5.1+ required).
  • Scope protection

    • No changes to publish-github; it continues to authenticate with GITHUB_TOKEN for GitHub Packages.
# publish-npm tail
- run: npm version ${TAG_NAME} --git-tag-version=false
  env:
    TAG_NAME: ${{ github.event.release.tag_name }}
- run: npm install -g npm@latest
- run: npm --ignore-scripts publish --provenance --access public

After merge, a maintainer still needs to register this workflow as an npm trusted publisher for @github/combobox-nav (Settings → Trusted Publishers → GitHub Actions):

  • Org/user: github
  • Repository: combobox-nav
  • Workflow file: publish.yml
  • Environment: none (blank)

GitHub Advanced Security started work on behalf of jonrohan June 30, 2026 17:09 View session
GitHub Advanced Security finished work on behalf of jonrohan June 30, 2026 17:09
GitHub Advanced Security started work on behalf of jonrohan June 30, 2026 17:12 View session
GitHub Advanced Security finished work on behalf of jonrohan June 30, 2026 17:12
Copilot AI changed the title [WIP] Update publish-npm job to use trusted publishing Switch publish-npm to npm Trusted Publishers (OIDC) and remove npm token auth Jun 30, 2026
Copilot AI requested a review from jonrohan June 30, 2026 17:12
@jonrohan jonrohan marked this pull request as ready for review June 30, 2026 17:13
@jonrohan jonrohan requested a review from a team as a code owner June 30, 2026 17:13
Copilot AI review requested due to automatic review settings June 30, 2026 17:13
@jonrohan jonrohan enabled auto-merge June 30, 2026 17:13
@jonrohan jonrohan disabled auto-merge June 30, 2026 17:13
@jonrohan jonrohan enabled auto-merge June 30, 2026 17:13
@jonrohan jonrohan disabled auto-merge June 30, 2026 17:13
@jonrohan jonrohan merged commit 4f9fe28 into main Jun 30, 2026
8 checks passed
@jonrohan jonrohan deleted the copilot/update-publish-npm-job branch June 30, 2026 17:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release publishing workflow to publish to npm via npm Trusted Publishers (OIDC) rather than a long-lived npm token, while keeping GitHub Packages publishing unchanged.

Changes:

  • Removes NODE_AUTH_TOKEN / secrets.npm_token usage and the token-dependent npm whoami precheck from the npm publish job.
  • Ensures a sufficiently new npm CLI is installed before publishing with provenance by upgrading npm in the workflow.
  • Leaves publish-github behavior intact (still uses GITHUB_TOKEN for GitHub Packages).
Show a summary per file
File Description
.github/workflows/publish.yml Switches the npm publish job to OIDC/trusted publishing and updates the npm CLI install step accordingly.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +42 to +43
# npm 11.5.1+ is required for trusted publishing (OIDC) with provenance
- run: npm install -g npm@latest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants