Skip to content

fix(ci): npm OIDC trusted publishing in release.yml (unblocks 0.0.4)#50

Merged
johnxie merged 1 commit into
mainfrom
fix/release-npm-oidc
Jun 9, 2026
Merged

fix(ci): npm OIDC trusted publishing in release.yml (unblocks 0.0.4)#50
johnxie merged 1 commit into
mainfrom
fix/release-npm-oidc

Conversation

@johnxie

@johnxie johnxie commented Jun 9, 2026

Copy link
Copy Markdown
Member

What broke

Release run 27230473355 failed publishing 0.0.4: npm error 404 Not Found - PUT … on both packages — npm's unauthorized symptom for scoped packages.

Root cause

#26 switched npm to OIDC trusted publishing ("no more tokens"), and 0.0.3 actually shipped via force-release.yml (manual dispatch), which has id-token: write + NPM_CONFIG_PROVENANCE: true and no token env. The automatic release.yml was never converted — it still passed the retired NPM_TOKEN and had no permissions block, so OIDC could not mint a token → 404 on PUT.

Fix (mirror the proven force-release.yml config)

before after
job permissions none id-token: write, contents: write, pull-requests: write
setup-node @V3 / Node 20 @v4 / Node 22 (matches force-release)
Publish env NPM_TOKEN + NODE_AUTH_TOKEN NPM_CONFIG_PROVENANCE: true (OIDC, no tokens)

Zero-regression

  • YAML validates; changesets version-PR step unchanged.
  • Merging this triggers the release run on main — with chore: release #49 already merged and no pending changesets, hasChangesets == 'false' → Publish runs → 0.0.4 ships. If anything fails, force-release.yml remains the manual fallback.

@johnxie
fix(ci): convert release.yml npm publish to OIDC trusted publishing
21621ca 
The auto-release failed with npm E404-on-PUT (npm's unauthorized symptom):
the repo switched to OIDC trusted publishing (#26) but release.yml was never
converted — it still passed the retired NPM_TOKEN and lacked id-token: write.
Align the Publish step with the proven force-release.yml config:
- job permissions: id-token: write (+ contents/PRs for the changesets PR)
- setup-node@v4 / Node 22, NPM_CONFIG_PROVENANCE: true
- drop NPM_TOKEN / NODE_AUTH_TOKEN
@johnxie johnxie requested a review from Copilot June 9, 2026 19:30
@changeset-bot

changeset-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 21621ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@johnxie johnxie merged commit b1b728a into main Jun 9, 2026
1 check passed
@johnxie johnxie deleted the fix/release-npm-oidc branch June 9, 2026 19:30
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release.yml GitHub Actions workflow to publish to npm using OIDC trusted publishing (matching the already-working force-release.yml), unblocking automated publishing for @taskade/mcp-server@0.0.4.

Changes:

  • Adds explicit job permissions needed for OIDC (id-token: write) and Changesets PR creation (contents: write, pull-requests: write).
  • Updates actions/setup-node to v4 and Node.js to 22.
  • Removes legacy npm token env vars and enables provenance via NPM_CONFIG_PROVENANCE: true.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment on lines +14 to +17
permissions:
id-token: write
contents: write
pull-requests: write
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnxie