Switch release workflow to npm trusted publishing (OIDC)#185
Merged
Conversation
The NPM_TOKEN secret expired (last rotated 2024-07-11), causing every release since v0.8.1 to fail with `npm error 404 ... PUT .../token.js - Not found` — npm's response to a bad publish credential. Switch to OIDC-based trusted publishing so there's no long-lived token to expire, leak, or rotate: - Add `id-token: write` permission so the runner can mint the OIDC token npm exchanges for a short-lived publish credential (contents/ pull-requests kept for changesets tags + GitHub releases). - Bump Node 20 -> 22 (OIDC needs Node >= 22.14.0; also clears the Node 20 runner-deprecation warning). - Upgrade the runner's global npm, which `changeset publish` shells out to, since OIDC requires npm >= 11.5.1. - Drop the NPM_TOKEN env var. Requires registering the trusted publisher on npmjs.com (repo token-js/token.js, workflow release.yml) before the first OIDC publish. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Release packages (prod)workflow has been failing on every push tomainsince 2026-06-06. All runs die on the Publish to NPM step with:This is npm's response to an invalid/expired publish credential (it returns
404rather than401/403so it doesn't leak package existence to unauthorized callers). The package itself is fine — latest published is0.7.1, and0.8.1inpackage.jsonhas never made it to the registry, so every subsequent push retries the same stuck publish and fails identically.Root cause: the repo's
NPM_TOKENsecret was last rotated 2024-07-11 and has since expired.Fix
Rather than mint and store yet another long-lived token, switch to npm trusted publishing (OIDC) — the approach npm now recommends for CI. GitHub mints a short-lived, workflow-scoped OIDC token that npm exchanges for a one-time publish credential. There's no stored secret to expire, leak, or rotate, and npm auto-generates provenance attestations.
Changes to
.github/workflows/release.yml:permissions: id-token: writeso the runner can mint the OIDC token (keptcontents/pull-requests: writefor changesets git tags + GitHub releases, since adding an explicitpermissionsblock otherwise drops the default grants).npm install -g npm@latest) — OIDC requires npm ≥ 11.5.1, and older npm silently falls back to token auth.pnpm changeset publishshells out to npm under the hood, so the global npm version is what matters.NPM_TOKENenv var.pnpm changeset publishis unchanged — changesets uses npm's native publish path, so it picks up OIDC automatically without needing pnpm's own (still-in-progress) OIDC support.token-js, repositorytoken.js, workflowrelease.yml. The first OIDC publish will 404 until this exists.0.8.1once to clear the currently-stuck version.NPM_TOKENsecret can be deleted.🤖 Generated with Claude Code