Replace npm token auth with OIDC trusted publishing #656
Conversation
Co-authored-by: jeswr <[email protected]>
Co-authored-by: jeswr <[email protected]>
|
@copilot please update the workflow to use the |
Co-authored-by: jeswr <[email protected]>
Co-authored-by: jeswr <[email protected]>
Updated to use Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot Please use actions/setup-node rather than |
Co-authored-by: jeswr <[email protected]>
Added steps to clear npm token configuration Changed the verification to warn instead of fail (so you can see the issue) Added instructions in the logs about removing the secret
There was a problem hiding this comment.
Pull request overview
This PR updates the CI workflow to use OIDC trusted publishing for npm package publishing, replacing deprecated npm classic token authentication that was revoked in December 2025.
Changes:
- Migrated from token-based authentication (
NPM_TOKENsecret) to OIDC trusted publishing for npm - Updated Node.js versions to 22.x and 24.x to support npm v10+ with OIDC capabilities
- Added extensive verification and debugging steps to ensure OIDC authentication works correctly
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/ci.yml |
Added OIDC permissions, registry URL configuration, token cleanup steps, and replaced JS-DevTools/npm-publish action with direct npm publish CLI commands |
package.json |
Simplified repository URL format by removing git+ prefix |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/ci.yml
Outdated
| - name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC | ||
| run: | | ||
| # Remove any .npmrc file that might contain token auth | ||
| if [ -f "$HOME/.npmrc" ]; then | ||
| echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." | ||
| if grep -q "_authToken" "$HOME/.npmrc"; then | ||
| echo "Removing token auth from .npmrc..." | ||
| sed -i '/_authToken/d' "$HOME/.npmrc" || true | ||
| fi | ||
| fi | ||
| # Clear npm config token settings | ||
| npm config delete //registry.npmjs.org/:_authToken || true | ||
| npm config delete _authToken || true | ||
| # Note: NODE_AUTH_TOKEN env var from secrets will still be available | ||
| # but npm should prefer OIDC when configured correctly | ||
| echo "Cleared npm token configuration" |
There was a problem hiding this comment.
This step manipulates npm configuration files and settings to work around potential conflicts with OIDC. The extensive token cleanup logic is duplicated in both publish jobs and suggests the workflow might be fighting against the environment setup. Consider removing the NODE_AUTH_TOKEN secret from the repository instead of working around it in the workflow.
.github/workflows/ci.yml
Outdated
| - name: Verify OIDC authentication | ||
| run: | | ||
| echo "Workflow name: ${{ github.workflow }}" | ||
| echo "Workflow file: ${{ github.workflow_ref }}" | ||
| echo "Repository: ${{ github.repository }}" | ||
| echo "Ref: ${{ github.ref }}" | ||
| echo "Actor: ${{ github.actor }}" | ||
| echo "Event name: ${{ github.event_name }}" | ||
| # Check if NODE_AUTH_TOKEN is set (from repository secrets) | ||
| if [ -n "$NODE_AUTH_TOKEN" ]; then | ||
| echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" | ||
| echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" | ||
| echo "from repository Settings > Secrets and variables > Actions" | ||
| echo "" | ||
| echo "For now, we'll try to work around it by clearing npm config..." | ||
| # Don't exit - try to work around it | ||
| else | ||
| echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" | ||
| fi | ||
| # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) | ||
| if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then | ||
| echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" | ||
| else | ||
| echo "✓ OIDC token request token is available" | ||
| fi |
There was a problem hiding this comment.
The extensive verification steps for OIDC authentication (lines 107-235) are duplicated in both npm-publish-build and npm-publish-latest jobs. Consider extracting this logic into a reusable composite action or a shared shell script to reduce duplication and improve maintainability.
| - name: Test npm publish (dry-run) - PRs only | ||
| if: github.event_name == 'pull_request' | ||
| run: | | ||
| echo "Testing npm publish authentication with dry-run..." | ||
| echo "This verifies OIDC authentication works without actually publishing" | ||
| npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || { | ||
| echo "ERROR: npm publish dry-run failed" | ||
| echo "This indicates OIDC authentication is not working correctly" | ||
| exit 1 | ||
| } | ||
| echo "✓ npm publish dry-run succeeded - OIDC authentication is working!" |
There was a problem hiding this comment.
The dry-run test will fail on pull requests because OIDC authentication tokens are only issued for trusted events (push to main, tags, etc.), not for pull_request events. This check should either be removed or the condition should be adjusted to skip it for pull requests, as OIDC authentication cannot be verified in PR contexts.
| - name: Test npm publish (dry-run) - PRs only | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| echo "Testing npm publish authentication with dry-run..." | |
| echo "This verifies OIDC authentication works without actually publishing" | |
| npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || { | |
| echo "ERROR: npm publish dry-run failed" | |
| echo "This indicates OIDC authentication is not working correctly" | |
| exit 1 | |
| } | |
| echo "✓ npm publish dry-run succeeded - OIDC authentication is working!" | |
| - name: Skip npm publish dry-run on PRs (OIDC not available) | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| echo "Skipping npm publish dry-run on pull_request events." | |
| echo "OIDC tokens are only issued for trusted events (e.g., push to main, tags, workflow_dispatch)," | |
| echo "so npm publish authentication cannot be verified in PR contexts." | |
| echo "This step is intentionally a no-op for pull requests." |
.github/workflows/ci.yml
Outdated
| run: | | ||
| # Remove any .npmrc file that might contain token auth | ||
| if [ -f "$HOME/.npmrc" ]; then | ||
| echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." | ||
| if grep -q "_authToken" "$HOME/.npmrc"; then | ||
| echo "Removing token auth from .npmrc..." | ||
| sed -i '/_authToken/d' "$HOME/.npmrc" || true | ||
| fi | ||
| fi | ||
| # Clear npm config token settings | ||
| npm config delete //registry.npmjs.org/:_authToken || true | ||
| npm config delete _authToken || true | ||
| # Note: NODE_AUTH_TOKEN env var from secrets will still be available | ||
| # but npm should prefer OIDC when configured correctly | ||
| echo "Cleared npm token configuration" |
There was a problem hiding this comment.
This token cleanup logic is duplicated from the npm-publish-build job (lines 86-101). Extract this into a reusable composite action or shell script to eliminate the duplication.
| run: | | |
| # Remove any .npmrc file that might contain token auth | |
| if [ -f "$HOME/.npmrc" ]; then | |
| echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." | |
| if grep -q "_authToken" "$HOME/.npmrc"; then | |
| echo "Removing token auth from .npmrc..." | |
| sed -i '/_authToken/d' "$HOME/.npmrc" || true | |
| fi | |
| fi | |
| # Clear npm config token settings | |
| npm config delete //registry.npmjs.org/:_authToken || true | |
| npm config delete _authToken || true | |
| # Note: NODE_AUTH_TOKEN env var from secrets will still be available | |
| # but npm should prefer OIDC when configured correctly | |
| echo "Cleared npm token configuration" | |
| run: .github/scripts/clear-npm-token.sh |
- Addressed dry-run comment
|
@PreciousOritsedere @jeswr |
|
Thank you, let me try this now |
- Added --access public flag
npm classic tokens were revoked as of December 2025. This updates the CI workflow to use OIDC trusted publishing for npm package publishing.
Changes
id-token: writepermission for OIDC authenticationregistry-url: 'https://registry.npmjs.org'toactions/setup-nodein publish jobsJS-DevTools/npm-publishaction with directnpm publishCLI commandifconditionsRequired Setup
Configure trusted publisher on npmjs.com for this package:
SolidOS/solid-uici.ymlOriginal prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.