Skip to content

Support OIDC publishing #771

New issue
New issue
Open
#772
Open
Support OIDC publishing#771
#772
Labels
enhancementhelp wanted
@WillsB3

Description

@WillsB3
WillsB3
opened on Nov 18, 2025

Description

NPM has recently disabled classic access tokens and now recommends publishing via OIDC to avoid the need for long-lived tokens altogether (See https://docs.npmjs.com/trusted-publishers).

Is the feature request related to a problem?

As far as I have been able to deduce, np does not current allow publishing of packages via OIDC because the NPM prerequisite checks try and verify the currently logged in npm user (source) in a way that I believe is not OIDC compatible.

From the NPM docs:

The npm whoami command will not reflect OIDC authentication status since the authentication occurs only during the publish operation.

When I try and run np within our release.yml Github action I get the following error:

[10:39:09] Prerequisite check [started]
[10:39:09] Ping npm registry [started]
[10:39:09] Ping npm registry [completed]
[10:39:09] Check npm version [started]
[10:39:09] Check npm version [completed]
[10:39:09] Verify user is authenticated [started]
[10:39:10] Verify user is authenticated [failed]
[10:39:10] → Authentication error. Use `npm whoami` to troubleshoot.
[10:39:10] Prerequisite check [failed]
[10:39:10] → Authentication error. Use `npm whoami` to troubleshoot.
✖️ Error: Authentication error. Use `npm whoami` to troubleshoot.
    at Module.username (file:///home/runner/work/ui/ui/node_modules/np/source/npm/util.js:42:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Task.task (file:///home/runner/work/ui/ui/node_modules/np/source/prerequisite-tasks.js:30:22)
Aborted!

Indeed, there is no user authenticated with the npm CLI in the runner, since we have setup Github as a trusted publisher and added the id-token permission to the CLI job which, per the NPM documentation, should allow the package to be published.

Possible implementation

I don't have any specific recommendations, but some ideas:

  • A new flag e.g. --skip-npm-auth-check which skip the relevant prerequesit task (this doesn't feel like a great solution…)
  • Update np to try and detect if it is running in an environment where OIDC is available (see https://github.com/npm/cli/blob/latest/lib/utils/oidc.js#L49-L67). This would be smarter, but would also require more maintenance on np's side to update any checks made as NPM expands support for providers other than GitHub/GitLab.

Alternatives

No workarounds known at the point in time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementhelp wanted

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions