Upgrade npm to support OIDC Trusted Publishing#231
Merged
subtleGradient merged 1 commit intomainfrom Nov 12, 2025
Merged
Conversation
npm v10.8.2 (bundled with Node 20.x) predates Trusted Publishing support. npm CLI v11.5.1+ is required for OIDC authentication with --provenance flag. Evidence: CI publish failed with ENEEDAUTH despite id-token: write and correct workflow setup. npm fell back to token auth and found none. Add explicit npm upgrade step before publish to ensure OIDC works.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds an npm upgrade step to the publish workflow to enable OIDC Trusted Publishing support. The workflow previously used npm v10.8.2 (bundled with Node 20.x), which lacks support for OIDC authentication with the --provenance flag. The upgrade ensures npm CLI v11.5.1+ is available when changeset publish --provenance is executed.
- Adds explicit npm upgrade step before the changesets action to ensure OIDC compatibility
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile | ||
| - name: Upgrade npm for OIDC support | ||
| run: npm install -g npm@latest |
There was a problem hiding this comment.
Using npm@latest makes the workflow non-deterministic and could lead to unexpected behavior if a new npm version introduces breaking changes. Consider pinning to a specific version that supports OIDC (e.g., npm@11.5.1) to ensure reproducible builds.
run: npm install -g npm@11.5.1
Suggested change
| run: npm install -g npm@latest | |
| run: npm install -g npm@11.5.1 |
castortech
pushed a commit
to castortech/rivet-ai-sdk-provider
that referenced
this pull request
Dec 28, 2025
Their comments: Latest commit: Upgrade npm to support OIDC Trusted Publishing (OpenRouterTeam#231) npm v10.8.2 (bundled with Node 20.x) predates Trusted Publishing support. npm CLI v11.5.1+ is required for OIDC authentication with --provenance flag. Evidence: CI publish failed with ENEEDAUTH despite id-token: write and correct workflow setup. npm fell back to token auth and found none. Add explicit npm upgrade step before publish to ensure OIDC works. Previous: Migrate npm OIDC (OpenRouterTeam#230) * refactor: migrate to OIDC for npm package publishing Replace token-based authentication with OpenID Connect (OIDC) for enhanced security: - Remove NPM_TOKEN from changesets action environment - Enable automatic provenance generation (NPM_CONFIG_PROVENANCE) - Set NODE_AUTH_TOKEN to empty string to force OIDC authentication - Keep diagnostic step for troubleshooting auth issues This requires configuring npm Trusted Publisher on npmjs.com for the repository. * refactor: restructure publish workflow to support OIDC properly Split changesets/action into versioning-only step and separate publish step to avoid .npmrc token mutation that would block OIDC. This ensures npm uses Trusted Publisher authentication instead of legacy token-based auth. Key changes: - changesets/action now only runs version step (no publish input) - Added OIDC preflight step to scrub any auth tokens from .npmrc before publishing - Separated publish into dedicated step with pnpm changeset-publish - Added post-mortem diagnostics for troubleshooting publish failures The id-token: write permission remains enabled for OIDC token generation. Registry setup and package.json publish script already include provenance. * fix: harden OIDC workflow with publish gate and comprehensive preflight Address three critical risks identified during code review: 1. Gate publish step to run only when no changesets exist - Prevents wasteful runs and log noise when version PR is created - Ensures publish only runs on merge commits (when hasChangesets == 'false') - .github/workflows/publish.yaml:74 2. Harden preflight to scrub all .npmrc locations and auth forms - Iterate over all potential locations: NPM_CONFIG_USERCONFIG, ~/.npmrc, .npmrc - Remove both registry-scoped (_authToken, _auth=) and global (always-auth) forms - Prevents stray .npmrc from blocking OIDC authentication - .github/workflows/publish.yaml:45-52 3. Make whoami check robust with exit code instead of grep - Check npm whoami exit code (0 = logged in, non-zero = not logged in) - Avoids reliance on fragile message matching across npm versions - Verify registry config (including @openrouter scope) - .github/workflows/publish.yaml:62-71 4. Enhance post-mortem diagnostics - Log registry configuration for both global and @openrouter scope - Redact .npmrc contents to aid forensics without exposing secrets - Check all three potential .npmrc locations - .github/workflows/publish.yaml:92-101 With these changes, the workflow is hardened against OIDC authentication failures. * refine: use extended regex patterns for comprehensive .npmrc token scrubbing Improve sed patterns to handle edge cases in token removal: - Registry-scoped tokens: Allow optional whitespace around = sign sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d' - Global tokens: Match _authToken or _auth anywhere on a line with leading whitespace sed -i -E '/^\s*(_authToken|_auth)\s*=/d' - Global always-auth: Case-insensitive with optional spacing sed -i -E '/^\s*[Aa]lways-[Aa]uth\s*=/d' This closes the gap where npm could treat whitespace-padded or variant token lines as a signal to use legacy token auth instead of OIDC. Extended regex (-E) enables more flexible matching without sacrificing readability. Addresses edge case identified during workflow review.
kesavan-byte
pushed a commit
to osm-API/ai-sdk-provider
that referenced
this pull request
Feb 13, 2026
npm v10.8.2 (bundled with Node 20.x) predates Trusted Publishing support. npm CLI v11.5.1+ is required for OIDC authentication with --provenance flag. Evidence: CI publish failed with ENEEDAUTH despite id-token: write and correct workflow setup. npm fell back to token auth and found none. Add explicit npm upgrade step before publish to ensure OIDC works.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
npm v10.8.2 (bundled with Node 20.x) predates Trusted Publishing support. npm CLI v11.5.1+ is required for OIDC authentication with --provenance flag.
Evidence: CI publish failed with ENEEDAUTH despite id-token: write and correct workflow setup. npm fell back to token auth and found none.
Add explicit npm upgrade step before publish to ensure OIDC works.