chore: add OIDC Trusted Publisher for NPM

[MantisClone]

Problem

NPM package publishing uses long-lived tokens (NODE_AUTH_TOKEN) which pose security risks if compromised or exposed.

Solution

• Implement OIDC Trusted Publisher authentication for secure, token-less NPM publishing
• Update GitHub Actions workflow with required OIDC permissions
• Upgrade to Node 20 (Node 18 reached EOL in March 2025)
• Ensure npm 11.5.1+ for OIDC support
• Fix missing @types/prettier dependency

Considerations

• Trusted Publisher must be configured on npmjs.com for request-injector package
• No backward compatibility issues - workflow maintains same triggers
• Automatic provenance generation included with OIDC publishing

Summary by CodeRabbit

• Chores
  • Updated Node.js runtime to version 20
  • Enhanced npm publishing with provenance verification
  • Updated build tooling to npm version 11.5.1
  • Improved development tooling with type definitions for Prettier

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The PR adds TypeScript type definitions for Prettier as a development dependency and updates the npm publishing GitHub Actions workflow to use OIDC-based authentication with Node.js 20, npm 11.5.1+, and provenance-based publishing.

Changes

Cohort / File(s)	Summary
Dev Dependencies package.json	Added @types/prettier (^2.7.3) as a dev dependency for TypeScript type definitions.
Publishing Workflow \.github/workflows/npm-publish\.yaml	Updated GitHub Actions workflow: added OIDC permissions (id-token: write, contents: read), upgraded setup-node from v3 to v4, bumped Node.js from 18 to 20, added npm update step to ensure v11.5.1+, removed NODE_AUTH_TOKEN environment variable, and added --provenance flag to npm publish command.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Security-critical workflow changes (OIDC adoption): verify permissions and publish flags are correctly configured
• Node.js and npm version upgrades: confirm compatibility with codebase
• Removal of NODE_AUTH_TOKEN environment variable: ensure OIDC registry authentication is properly configured

Possibly related issues

• SDK - Migrate to OIDC Trusted Publisher for NPM publishing requestNetwork#1648: PR directly implements OIDC-style publish updates with id-token permissions, setup-node@v4 upgrade, and --provenance flag as described in the issue.
• Migrate web-components and request-cli to OIDC Trusted Publisher public-issues#63: PR modifies npm publishing workflow to adopt OIDC-based publishing by adding id-token permissions and replacing NODE_AUTH_TOKEN with provenance-based authentication.

Possibly related PRs

• feat: add CI for auto publishing CLI #10: Modifies the same npm-publish GitHub Actions workflow, with this PR building upon those foundational publishing infrastructure changes.
• chore: add OIDC Trusted Publisher for NPM #13: Contains identical code-level changes to both package.json and npm-publish.yaml—adding OIDC permissions, upgrading node setup and version, ensuring npm version, removing NODE_AUTH_TOKEN, adding --provenance, and adding @types/prettier.

Suggested reviewers

• rodrigopavezi
• aimensahnoun
• bassgeta

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore: add OIDC Trusted Publisher for NPM" accurately captures the primary objective of the changeset. According to the PR objectives, the main goal is to implement OIDC Trusted Publisher authentication to enable secure, token-less NPM publishing, which is precisely what the title states. The title is specific and clear, using conventional commit format appropriately for a maintenance change. The supporting modifications—such as Node.js version upgrades, npm updates, and the addition of @types/prettier—are secondary to this core objective and do not obscure the main purpose conveyed by the title.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4205327 and 56f1ae3.

📒 Files selected for processing (1)

• .github/workflows/npm-publish.yaml (3 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

Switch publishing to npm OIDC Trusted Publisher, modernize the workflow to Node 20, ensure a compatible npm version for OIDC, and add missing type dependency.

• Add OIDC permissions and remove token-based publishing in GitHub Actions
• Upgrade runner to Node 20 and update npm during CI
• Add @types/prettier to devDependencies

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
package.json	Adds @types/prettier to devDependencies to address missing types.
.github/workflow/npm-publish.yaml	Configures OIDC permissions, upgrades setup-node to v4 with Node 20, updates npm, and removes NODE_AUTH_TOKEN from publish step.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflow/npm-publish.yaml (1)

26-28: Avoid using npm@latest for version pinning.

The step npm install -g npm@latest is too permissive and could introduce breaking changes. The PR states npm 11.5.1+ is required for OIDC support, so consider pinning to a specific minimum version instead.

Apply this diff to pin npm to a safe, tested version:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm
+        run: npm install -g npm@11.5.1

Alternatively, if you want to allow minor/patch updates:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm
+        run: npm install -g 'npm@^11.5.1'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1781870 and 4205327.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflow/npm-publish.yaml (2 hunks)
• package.json (1 hunks)

🔇 Additional comments (4)

package.json (1)

21-21: Verify @types/prettier is actually required by the codebase.

@types/prettier is being added as a devDependency, but the PR description and workflow changes don't clarify why this package is needed. If Prettier isn't used in the codebase (e.g., not imported, not configured in tsconfig, or not part of build tooling), this is an unnecessary dependency.

Please confirm:

1. Is Prettier actually used in this project for code formatting or as part of the build process?
2. If so, is there an actual Prettier import that requires the type definitions?
3. Is this addition necessary for the TypeScript build to succeed during the publish workflow?

.github/workflow/npm-publish.yaml (3)

9-11: Permissions block correctly configured for OIDC.

The id-token: write permission enables GitHub's OIDC provider to issue a token, and contents: read allows repository access. This is the correct permission model for OIDC authentication.

---

48-50: OIDC Trusted Publisher must be pre-configured on npmjs.com.

The removal of NODE_AUTH_TOKEN is correct for OIDC authentication. However, this workflow requires that you have already configured the request-injector package as a Trusted Publisher on npmjs.com before this workflow will succeed. This is a critical prerequisite that cannot be skipped.

Verify the setup at: https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-web

Confirm that:

1. You have admin access to the request-injector package on npmjs.com
2. The package is registered as a Trusted Publisher with GitHub (organization: RequestNetwork, repository: request-cli, workflow: npm-publish.yaml)
3. The package on npmjs.com allows publishing from this GitHub Actions workflow via OIDC

Without this external configuration, the npm publish step will fail with authentication errors.

---

21-21: The review comment's premise about version upgrades is inaccurate and does not reflect reality.

setup-node@v3 ran on Node 16, not Node 18, and setup-node@v4 upgraded the action runtime to Node 20. More importantly, verification shows this upgrade is entirely safe for this project:

• No engine constraint exists: package.json has no explicit Node version requirement, providing full compatibility flexibility
• Dependencies are compatible: @types/node is already at ^22.4.1 (targeting Node 22+), well-aligned with Node 20 LTS
• @types/prettier has no issues: It's a simple typing package with no known Node 20 compatibility concerns
• Existing dependencies are modern: typescript ^5.5.4 and other dev dependencies have no Node 20 incompatibilities

The upgrade proceeds without risk. No compatibility verification is needed.

[bassgeta]

Looking good 😎
Although Copilot is on to something here, why do we have a directory named workflow instead of workflows? 🤔

[bassgeta]

Reapproving 😎