ci: enable OIDC trusted publishing for npm

andrew-scott-fischer · andrew-scott-fischer · commit 143ecc3f79af · 2025-11-05T12:06:49.000-08:00
Configure GitHub Actions workflow to use OIDC authentication instead of NPM_TOKEN for publishing packages. This provides better security by eliminating long-lived secrets and enables automatic provenance attestation. Changes: - Add publish environment and id-token: write permission - Remove NPM_TOKEN from workflow configuration - Keep GITHUB_TOKEN for git operations Ticket: VL-3686
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,6 +12,10 @@ jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,9 +59,6 @@ jobs:
         run: |
           echo "workspaces-update = false" >> .npmrc
           echo "@bitgo:registry=https://registry.npmjs.org" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Install Packages
         run: npm ci --workspaces --include-workspace-root
@@ -72,4 +73,3 @@ jobs:
         run: npx lerna publish --yes --no-verify-access
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
