chore: update to OIDC npm Trusted Publishing#447
Merged
Conversation
- Pin oddish-action to 0074f2d (OIDC support) - Remove NODE_AUTH_TOKEN (use OIDC instead) - Bump actions/checkout and actions/setup-node to v6 (node24 runtime) - Add setup-node with node-version 24 to publish workflow - Add contents: read to permissions block
Deploying ui2 with
|
| Latest commit: |
95e7c8a
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://118f5de4.ui2-423.pages.dev |
| Branch Preview URL: | https://chore-update-oddish-action-o.ui2-423.pages.dev |
charly-bg
approved these changes
Jun 9, 2026
decentraland-bot
commented
Jun 9, 2026
decentraland-bot
left a comment
decentraland-bot
left a comment
Contributor
Author
There was a problem hiding this comment.
Review: chore: update to OIDC npm Trusted Publishing
Files changed: 2 (+11 −6)
Summary
Clean, well-scoped migration from long-lived NPM_TOKEN to OIDC Trusted Publishing. Follows the validated pattern from decentraland/protocol PRs #416 and #417. All changes are correct.
Key Changes Verified
- ✅
oddish-actionSHA-pinned to0074f2d— supply chain hardening - ✅
NODE_AUTH_TOKENremoved — OIDC replaces long-lived npm tokens - ✅
actions/checkoutandactions/setup-nodebumped to v6 (node24 runtime) - ✅
actions/setup-node@v6withnode-version: 24added tomaster.yml(was previously missing — critical for npm 11.x / Trusted Publishing) - ✅
contents: read+id-token: write— minimal, explicit permissions - ✅ Git conventions (ADR-6): PR title and branch name follow semantic format
Security Review
- No hardcoded secrets or credentials
- OIDC is a strict security improvement over long-lived tokens
- SHA-pinning on
oddish-actionprevents tag hijacking - Minimal permission scoping is correct
- No security issues found
Findings
| # | Severity | Finding |
|---|---|---|
| 1 | P2 | actions/checkout@v6 and actions/setup-node@v6 use tag refs while oddish-action is SHA-pinned — minor inconsistency, acceptable for first-party GitHub actions |
| 2 | P2 | pull-request.yml retains id-token: write which isn't needed for a non-publishing workflow — harmless but unnecessary |
Pre-merge Prerequisite
ENEEDAUTH. Both sides must be set up: the GitHub Action (done in this PR) and the npmjs.com Trusted Publisher entry.
Verdict
APPROVE — No P0 or P1 findings. The migration is correct and follows the org-wide established pattern.
Note: Unable to submit as formal approval because the PR was authored by the same bot account.
Reviewed by Jarvis 🤖 · Requested by Charly via Slack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oddish-actionto0074f2dwith OIDC/Trusted Publishing supportNODE_AUTH_TOKEN— OIDC replaces long-lived npm tokensactions/checkoutandactions/setup-nodeto v6 (node24 runtime)actions/setup-node@v6withnode-version: 24to publish workflow (provides npm 11.x for Trusted Publishing)contents: readto permissions blockTest plan