Skip to content

promote to stable #1017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 49 commits into from
Oct 19, 2025
Merged

promote to stable #1017

merged 49 commits into from
Oct 19, 2025

Conversation

@travi
Copy link
Member

@travi travi commented Oct 16, 2025
edited
Loading

todo before merging

  • handle dry-run of publish for releases that happen from a sub-directory
  • refine messaging for auth failure errors

outstanding issues after this effort

  • add-channel will fail because of lack of OIDC support this appears to no longer be true (update: maybe still not fully in the clear, with limited cases hitting issues that are on the registry side)
  • ci verification will not cover node v24. resolving this may warrant switching test frameworks, which is beyond the scope of adding trusted publishing capabilities

fixes #958

travi added 30 commits July 8, 2025 23:49
@travi
ci(release): enable triggering for the alpha branch
eba6518
@travi
fix(deps): depend on the oidc branch for npm
733fe89
@travi
fix(token): temporarily disable configuring token into .npmrc
73185a3 
since oidc removes the need for the token

for #958
@travi
fix(whoami): temporarily disable verifying token validity
0fc050d 
since oidc does not currently work for whoami

for #958
@travi
fix: raise the minimum semantic-release requirement to v25
156b6c8 
BREAKING CHANGE: v25 of semantic-release is now expected

for #958
@travi
Revert "fix: raise the minimum semantic-release requirement to v25"
65dffca 
This reverts commit 156b6c8.
@travi
fix(deps): depend on the released version of the cli branch now that …
fc30c21 
…the oidc features are merged
@travi
feat(auth): attempt a dry-run publish to determine auth status
841dc67
@travi
fix(auth): throw error if dry-run publish determines lack of auth
8f88e9d
@travi
fix(error): throw an aggregate error rather than a simple error
1967d72
@travi
fix(stdout): fix the reference of stdout from execa
4ab3e74
@travi
fix(dry-run): look for the warning in stderr output rather than stdout
86f65a6
@travi
fix(dry-run): stop searching for "warn" to avoid ANSI color complicat…
bee5db6 
…ions
@travi
docs(oidc): update the authentication details to include recommending…
9bdfd06 
… oidc
@travi
feat(auth-error): updated messaging for auth failure to be less token…
e24967d 
… specific
@travi
fix(auth): throw appropriate error when auth context fails to enable …
f5c8d85 
…publishing
@travi
feat(verify-auth): configure npmrc details again
bd7acfb
@travi
Merge branch 'beta' of github.com:semantic-release/npm into alpha
197693e
@travi
Merge branch 'master' of github.com:semantic-release/npm into alpha
761d4db
@travi
refactor(registry): extract a constant rather than repeating the url …
dd9ea86 
…string
@travi
wip(trusted-publishing): capture rule about targeting the official re…
18b5911 
…gistry

for #958
@travi
wip(trusted-publishing): detect whether running from a trusted provider
1e279d8 
for #958
@travi
wip(trusted-publishing): limit successful oidc context detection to s…
00ab5fc 
…upported ci providers

for #958
@travi
feat(trusted-publishing): highlight in the error that a token is only…
a2aa38f 
… required when not using OIDC

for #958
@travi
fix(errors): bring back the invalid token error
c9f0da5 
for #958
@travi
feat(trusted-publishing): verify auth, considering OIDC vs tokens fro…
e3319f1 
…m various registriess

the trusted publishing verification is incomplete, but this change wires the various options
together, at least

for #958
@travi
fix(errors): resolve syntax problem
d825403
@travi
test(integration): adjust to align to updated auth verification logic
739f655
@travi
refactor(verify-auth): extract token verification logic to intent-rev…
e75c620 
…ealing functions

to improve readability

for #958
@travi
feat(trusted-publishing): make request to verify if OIDC token exchan…
c80ecb0 
…ge can succeed

this is the correct call, but details are still incomplete since the bearer token for the request
needs to be the OIDC token from the CI IdP

for #958
travi and others added 12 commits October 15, 2025 11:36
@travi
refactor(token-exchange): rename the function to be verb focused
701510e
@travi
Merge branch 'master' of github.com:semantic-release/npm into alpha
f063ab4
@travi
feat(trusted-publishing): handle failure to retrieve id-token in the …
b673257 
…context of github actions

for #958
@travi
feat(trusted-publishing): pass id-token as bearer header for gitlab p…
6d1c3cf 
…ipelines

for #958
@travi
refactor(trusted-publishing): remove redundant ci-providers check
cf9011b 
since that logic is now handled with the step to acquire the id-token

for #958
@travi
fix(verify-auth): stream output of the dry-run for custom registries
67ee603 
for #958
@travi
feat(trusted-publishing): log progression of token-exchange steps
a4a5add 
for #958
@travi
fix(trusted-publishing): properly await the check for trusted publish…
23c8610 
…ing context

for #958
@travi
docs(trusted-publishing): add details to the readme for configuring w…
e5c9857 
…ithin GitLab Pipelines

for #958
@travi
refactor: resolve prettier issues
38b0466
@travi
ci(node-versions): disable node v24 from the verification matrix for now
d351eca 
since stubbing `@actions/core` breaks in that version and i don't want figuring that out to delay
getting the trusted-publishing feature out

for #958
@travi
Merge pull request #1015 from semantic-release/alpha
a160d8d
@travi travi marked this pull request as draft October 16, 2025 03:20
@travi
Copy link
Member Author

travi commented Oct 16, 2025
edited by hearts bot
Loading

@semantic-release/maintainers feel free to start reviewing this. there are a few final details that need to be resolved, but this is mostly ready to go. i'd like to get this promoted by the end of the week

@travi travi mentioned this pull request Oct 16, 2025
Closed
@travi travi requested a review from a team October 16, 2025 05:23
@github-actions
Copy link

🎉 This PR is included in version 13.1.0-beta.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

travi added 2 commits October 18, 2025 09:38
@travi
docs(trusted-publishing): expand further around details for publishin…
cf14bd9 
…g in various contexts

for #958
@travi
feat(trusted-publishing): refine the messages for related errors
316ce21 
now that the ordering of checks and fallbacks have been settled

for #958
@github-actions
Copy link

🎉 This PR is included in version 13.1.0-beta.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

@travi travi marked this pull request as ready for review October 18, 2025 15:31
@travi
Copy link
Member Author

travi commented Oct 18, 2025
edited
Loading

@semantic-release/maintainers based on early feedback from #958 and my tests in https://github.com/travi-test/npm-oidc-test/ and our automated tests running in our pipeline, i'm ready to say this is ready for final review before promoting to stable.

the outstanding issues in the initial PR description have been updated to remain accurate and are beyond the scope of what i think should hold this PR back from being merged

this should be merged with a normal merge rather than being squashed

babblebey
babblebey approved these changes Oct 18, 2025
View reviewed changes
Copy link
Member

@babblebey babblebey left a comment
edited by hearts bot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @travi 👍🏾

Ready when you're ready... Let's go!

Just curious though... I see the Pattern where we're doing some things to orchestrate the OIDC session with the specific CI i.e. (GitHub Actions and GitLab Pipelines)... Is this the kinda pattern we get to follow if we want to support OIDC in other CI environments?? 🤔

@travi
Copy link
Member Author

travi commented Oct 19, 2025
edited by hearts bot
Loading

Is this the kinda pattern we get to follow if we want to support OIDC in other CI environments?? 🤔

unfortunately, yes. with the current state of things. any new ci providers that are added to the supported list on the npm registry side would require additional implementation in this plugin. i think this work sets us up for that work to be pretty minimal, but it would require work.

the same would be true if alternative registries followed the path outlined in the "For other Registries" section of npm/cli#8336. however, this work prepares us less for that scenario, since this currently puts a hard limit on the official registry. we'd need to check the registry for the presence of this endpoint if that pattern were followed. if a different pattern were followed, we'd need an even more custom implementation per registry.

i don't like this plugin to have any knowledge of the ci service that it is running in, but in the case of both "trusted publishing" and provenance, the ci context is an important detail. ideally, the npm cli could give us a way to check if it is supported without needing to know the level of detail about the context that was required for this change, but that is the current reality.

this was my reasoning when opening npm/cli#8525. i think there are valid pieces of that request to follow up on after getting this version released. i wanted to be early in supporting trusted publishing, but that gap delayed getting this implementation together. now, there are tight deadlines that have already partially passed. this implementation works in the context of the current reality enabled by the current cli and registry. i hope we can influence that path to improve in the future after we release this version. it could simplify our current implementation, but also enable us to support future options as they become available.

@travi travi merged commit d321e46 into master Oct 19, 2025
6 checks passed
@travi travi deleted the beta branch October 19, 2025 16:05
@github-actions
Copy link

🎉 This PR is included in version 13.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@babblebey babblebey babblebey approved these changes

Assignees

No one assigned

Labels

released on @beta released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ensure support for OIDC with the official registry

3 participants

@travi @babblebey