npm oidc #1201
npm oidc #1201
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request aims to migrate the npm package publishing workflow from token-based authentication to OIDC (OpenID Connect) trusted publishing, which enhances security by eliminating the need for long-lived access tokens.
Key changes:
- Addition of OIDC permissions (
id-token: write) at workflow and job levels - Update to Node.js version 24 and ubuntu-24.04 runners
- Modification of npm publish command to include
--provenanceflag for attestation
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20.x' | ||
| permissions: | ||
| id-token: write # Required for OIDC trusted publishing | ||
| contents: write |
There was a problem hiding this comment.
The build job is now empty with no steps defined. An empty job will fail to execute. Either remove this job entirely or add the necessary steps (checkout and setup-node at minimum).
| packages: write | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
There was a problem hiding this comment.
The publish job is missing the checkout step (actions/checkout). This step is required to check out the repository code before setting the package version, installing dependencies, building, and publishing. Without it, the workflow will fail as there will be no code to work with.
| - uses: actions/checkout@v4 |
| publish-gpr: | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| publish: |
There was a problem hiding this comment.
There's a syntax error: incorrect indentation for the publish job. The job name should align with 'build' above (2 spaces), but it has 3 spaces. This will cause a YAML parsing error.
| publish: | |
| publish: |
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| NODE_AUTH_TOKEN: '' # Explicitly empty for install |
There was a problem hiding this comment.
Setting NODE_AUTH_TOKEN to an empty string will prevent npm authentication. For OIDC trusted publishing to work, you should either omit the NODE_AUTH_TOKEN environment variable entirely or configure it properly. When using OIDC with --provenance flag, npm will use the OIDC token automatically and NODE_AUTH_TOKEN should not be set.
| runs-on: ubuntu-24.04 | ||
| permissions: | ||
| contents: read | ||
| packages: write |
There was a problem hiding this comment.
The publish job permissions include 'packages: write' which is for GitHub Packages, but this workflow is publishing to npm registry. For OIDC trusted publishing to npm, you need 'id-token: write' permission instead. The 'packages: write' permission should be removed as it's not relevant for npm publishing.
| packages: write | |
| id-token: write # Required for OIDC trusted publishing to npm |
Signed-off-by: Lee Calcote lee.calcote@layer5.io