Skip to content

Restore NPM_TOKEN to publish workflow#228

Merged
subtleGradient merged 1 commit intomainfrom
restore-npm-token
Nov 12, 2025
Merged

Restore NPM_TOKEN to publish workflow#228
subtleGradient merged 1 commit intomainfrom
restore-npm-token

Conversation

@subtleGradient
Copy link
Contributor

@subtleGradient subtleGradient commented Nov 12, 2025

Summary

Restore NPM_TOKEN environment variable to the publish workflow. The token is needed for npm authentication while --provenance flag uses OIDC for cryptographic attestations.

Changes

  • Add NPM_TOKEN: ${{ secrets.NPM_TOKEN }} back to changesets action environment
  • Remove .npmrc experiment (didn't work - changesets looks for ~/.npmrc, not repo .npmrc)
  • Keep --provenance flag for OIDC attestations

How it Works

  • Authentication: NPM_TOKEN secret (may be configured at org level)
  • Provenance: --provenance flag + id-token: write permission uses OIDC
  • Both work together: Token authenticates the publish, OIDC signs/attests the package

Context

Previous attempts to use pure OIDC without a token failed with E404 errors. npm's OIDC support is specifically for provenance attestations, not for replacing token-based authentication entirely.

@subtleGradient
Restore NPM_TOKEN to publish workflow
c716f59 
- Add NPM_TOKEN back to changesets action environment
- Remove .npmrc experiment (didn't work)
- NPM_TOKEN needed for authentication, --provenance uses OIDC for attestations
- Token may be configured at organization level
Copilot AI review requested due to automatic review settings November 12, 2025 19:16
@subtleGradient subtleGradient merged commit 6bec851 into main Nov 12, 2025
7 checks passed
@subtleGradient subtleGradient deleted the restore-npm-token branch November 12, 2025 19:17
Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR restores proper npm authentication configuration for the changesets-based publish workflow by adding back the NPM_TOKEN environment variable and removing a malformed .npmrc experiment.

Key Changes:

  • Adds NPM_TOKEN environment variable to the changesets action for npm authentication
  • Removes an incorrectly formatted .npmrc file that was part of a failed experiment
  • Maintains the --provenance flag for OIDC-based package attestations

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.npmrc Removes malformed .npmrc file with invalid leading whitespace that would not have worked
.github/workflows/publish.yaml Adds NPM_TOKEN environment variable required by changesets/action for npm registry authentication
Comments suppressed due to low confidence (1)

.npmrc:1

  • The removed .npmrc file had leading whitespace before the registry= line, which would have caused parsing issues. The standard .npmrc format doesn't allow leading whitespace on configuration lines. This removal is correct, but it's worth noting that if this file was intended to work, it was malformed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

kesavan-byte pushed a commit to osm-API/ai-sdk-provider that referenced this pull request Feb 13, 2026
@subtleGradient
Restore NPM_TOKEN to publish workflow (OpenRouterTeam#228)
d5968cf 
- Add NPM_TOKEN back to changesets action environment
- Remove .npmrc experiment (didn't work)
- NPM_TOKEN needed for authentication, --provenance uses OIDC for attestations
- Token may be configured at organization level
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subtleGradient