test oidc auth by forcing empty credentials

alexanderMontague · alexanderMontague · commit 74a937310335 · 2025-12-12T12:10:53.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -105,6 +105,7 @@ jobs:
           title: Version Packages - ${{ github.ref_name }}
           publish: pnpm release latest
         env:
+          NODE_AUTH_TOKEN: ''
           NPM_TOKEN: ''
           NPM_CONFIG_PROVENANCE: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -133,5 +134,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ''
+          NODE_AUTH_TOKEN: ''
           NPM_CONFIG_PROVENANCE: true
           SHOPIFY_CLI_BUILD_REPO: ${{ github.repository }}
diff --git a/.github/workflows/test-oidc-auth.yml b/.github/workflows/test-oidc-auth.yml
@@ -0,0 +1,84 @@
+name: Test OIDC Authentication
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  PNPM_VERSION: '10.11.1'
+
+jobs:
+  test-oidc-setup:
+    name: Test OIDC Setup
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup deps
+        uses: ./.github/actions/setup-cli-deps
+        with:
+          node-version: 24.12.0
+
+      - name: Check npm version
+        run: npm --version
+
+      - name: Check Node version
+        run: node --version
+
+      - name: Verify .npmrc configuration
+        run: |
+          echo "=== Checking .npmrc files exist ==="
+          if [ -f ~/.npmrc ]; then
+            echo "✅ ~/.npmrc exists"
+            if grep -q "registry.npmjs.org" ~/.npmrc; then
+              echo "✅ Contains npm registry configuration"
+            fi
+          else
+            echo "ℹ️  No .npmrc in home directory"
+          fi
+
+          if [ -f .npmrc ]; then
+            echo "✅ ./.npmrc exists in project"
+          else
+            echo "ℹ️  No .npmrc in project directory"
+          fi
+
+      - name: Verify environment configuration
+        run: |
+          if [ -z "${NODE_AUTH_TOKEN+x}" ]; then
+            echo "❌ NODE_AUTH_TOKEN not set"
+          else
+            echo "✅ NODE_AUTH_TOKEN is configured"
+          fi
+
+          if [ "${NPM_CONFIG_PROVENANCE}" = "true" ]; then
+            echo "✅ NPM_CONFIG_PROVENANCE is enabled"
+          else
+            echo "❌ NPM_CONFIG_PROVENANCE not enabled"
+          fi
+        env:
+          NODE_AUTH_TOKEN: ''
+          NPM_TOKEN: ''
+          NPM_CONFIG_PROVENANCE: true
+
+      - name: Test npm publish dry-run
+        run: |
+          cd packages/cli-kit
+          npm publish --dry-run --provenance --access public 2>&1 | grep -E "(Publishing|provenance|notice|Published)" || true
+        env:
+          NODE_AUTH_TOKEN: ''
+          NPM_TOKEN: ''
+          NPM_CONFIG_PROVENANCE: true
+
+      - name: Check OIDC token availability
+        run: |
+          if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL+x}" ]; then
+            echo "✅ OIDC token request URL is available"
+          else
+            echo "❌ OIDC token request URL is NOT available"
+          fi
