CI: publish to npm via trusted publishing (OIDC)#339
Open
yyc1217 wants to merge 1 commit into
Open
Conversation
Replace token-based publishing with npm trusted publishing so releases no longer depend on a stored npm token (which expired and caused 404s) or 2FA prompts: - Add `permissions: id-token: write` so the job can mint an OIDC token. - Upgrade the npm CLI to >= 11.5.1 (required for trusted publishing). - `npm publish` with no NODE_AUTH_TOKEN; npm authenticates via OIDC and attaches provenance automatically. Requires a one-time trusted publisher configured on npmjs.com for this repo and the workflow file (.github/workflows/actions.yml).
|
coverage: 91.946%. remained the same — npm-trusted-publishing into master |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Token-based publishing has been failing: the npm token expired (causing the 404 "Not found"), and npm's 2025 policy tightened CI publishing. Trusted publishing (OIDC) removes tokens entirely — GitHub Actions authenticates to npm via short-lived OIDC tokens, so there's nothing to expire and 2FA no longer applies to the CI publish.
Changes (publish job)
permissions: id-token: writeso the job can mint an OIDC token.npm install -g npm@latest— trusted publishing requires npm CLI ≥ 11.5.1 (newer than what ships with Node 24).npm publishwith noNODE_AUTH_TOKEN— npm detects the OIDC environment, authenticates automatically, and also attaches build provenance.Before this works, configure a trusted publisher for the package:
twzipcode-vue→ Settings → Trusted Publisheryyc1217twzipcode-vueactions.ymlOnce that's saved and this PR is merged, push a tag (e.g.
v3.0.1) to release — no token needed. You can also delete the now-unusedNPM_TOKENsecret.Note
package.jsonis still version3.0.0(never successfully published). If the next tag isv3.0.1, bumppackage.jsonto match — happy to do that in this PR or a follow-up.Verification
id-token: write, the npm upgrade step, and a tokenlessnpm publish.Generated by Claude Code