Skip to content

Switch npm publish to OIDC trusted publishing#33

Merged
grischaerbe merged 2 commits into
masterfrom
grischaerbe/npm-oidc-publish
Apr 29, 2026
Merged

Switch npm publish to OIDC trusted publishing#33
grischaerbe merged 2 commits into
masterfrom
grischaerbe/npm-oidc-publish

Conversation

@grischaerbe

@grischaerbe grischaerbe commented Apr 29, 2026

Copy link
Copy Markdown
Owner

Summary

  • Replace the expired NODE_AUTH_TOKEN with GitHub's OIDC flow now that the repo is registered as a trusted publisher on npm. The v3.0.0 release attempt failed with npm error 404 Not Found - PUT https://registry.npmjs.org/cacheables because the long-lived token was no longer valid.
  • Add permissions: id-token: write on the publish-npm job so GitHub mints an OIDC token for the publish step.
  • Bump the publish job to Node 24 — trusted publishing requires npm >= 11.5.1, and Node 22 ships with npm 10.x. Node 24 ships with npm 11.5+.
  • Drop the NODE_AUTH_TOKEN env. npm picks up the OIDC token automatically and produces provenance attestations by default.

The build job stays on Node 22 (matches ci.yml); only the publish step needed the bump.

Test plan

  • Trigger a release after merge and confirm publish-npm succeeds.
  • Verify the published cacheables@3.0.0 tarball on npmjs.com shows a provenance badge.
  • Once the publish succeeds, delete the now-unused npm_token repo secret.

🤖 Generated with Claude Code

grischaerbe and others added 2 commits April 29, 2026 23:52
@grischaerbe @claude
Switch npm publish to OIDC trusted publishing
5e0c124 
Replaces the long-lived NODE_AUTH_TOKEN with GitHub's OIDC flow now that
the repo is registered as a trusted publisher on npm. The previous v3.0.0
release attempt failed with E404 because the secret token had expired.

- Add `permissions: id-token: write` so GitHub mints an OIDC token for
  the publish step.
- Bump publish job to Node 24 (npm 11.5+) — trusted publishing requires
  npm >= 11.5.1, and Node 22 still ships with npm 10.x.
- Drop `NODE_AUTH_TOKEN`; npm picks up the OIDC token automatically and
  produces provenance attestations by default.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@grischaerbe @claude
Align release-workflow build job to Node 24
6d9d69d 
Matches the publish-npm bump in the previous commit so both jobs in the
release workflow run on the same Node version.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@grischaerbe grischaerbe merged commit 23295a0 into master Apr 29, 2026
5 checks passed
@grischaerbe grischaerbe deleted the grischaerbe/npm-oidc-publish branch April 29, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@grischaerbe