From 01fb914a0ddbe520698607acd780d59787deb769 Mon Sep 17 00:00:00 2001
From: andy-chhuon <andy.chhuon@shopify.com>
Date: Mon, 15 Dec 2025 17:01:51 -0500
Subject: [PATCH] Add OIDC to npm

---
 .changeset/chilly-ghosts-beam.md             |  5 ++++
 .github/workflows/actions/prepare/action.yml |  5 ++--
 .github/workflows/deploy-rc.yml              | 29 --------------------
 .github/workflows/deploy.yml                 | 19 ++++++++-----
 4 files changed, 20 insertions(+), 38 deletions(-)
 create mode 100644 .changeset/chilly-ghosts-beam.md
 delete mode 100644 .github/workflows/deploy-rc.yml

diff --git a/.changeset/chilly-ghosts-beam.md b/.changeset/chilly-ghosts-beam.md
new file mode 100644
index 0000000000..1f3018ebe0
--- /dev/null
+++ b/.changeset/chilly-ghosts-beam.md
@@ -0,0 +1,5 @@
+---
+'@shopify/ui-extensions': patch
+---
+
+new oidc deploy workflow
diff --git a/.github/workflows/actions/prepare/action.yml b/.github/workflows/actions/prepare/action.yml
index 64539badfe..442ca6f403 100644
--- a/.github/workflows/actions/prepare/action.yml
+++ b/.github/workflows/actions/prepare/action.yml
@@ -2,11 +2,12 @@ name: Prepare repo
 runs:
   using: 'composite'
   steps:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@v4
       name: Setup node.js and yarn
       with:
+        registry-url: 'https://registry.npmjs.org' # Required for OIDC
         cache: yarn
-        node-version-file: '.nvmrc'
+        node-version-file: '.nvmrc' # Must be 20+ to support npm 11.5.1+
 
     - name: Yarn install
       run: yarn install --frozen-lockfile
diff --git a/.github/workflows/deploy-rc.yml b/.github/workflows/deploy-rc.yml
deleted file mode 100644
index 7cbca2f61b..0000000000
--- a/.github/workflows/deploy-rc.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-name: Deploy RC
-
-on:
-  push:
-    branches:
-      - 20[0-9][0-9]-[01][1470]-rc
-
-concurrency: ${{ github.workflow }}-${{ github.ref }}
-
-jobs:
-  changesets:
-    name: Deploy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
-
-      - uses: ./.github/workflows/actions/prepare
-
-      - id: changesets
-        name: Create release Pull Request or publish to NPM
-        uses: changesets/action@v1
-        with:
-          title: Version Packages (${{ github.ref_name }})
-          publish: yarn run deploy
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 81cd7c3447..3d525aec4c 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,7 @@ name: Deploy
 on:
   push:
     branches:
+      # Stable version branches
       - 2023-04
       - 2023-07
       - 2023-10
@@ -11,6 +12,8 @@ on:
       - 2024-07
       - 2024-10
       - 20[0-9][0-9]-[01][1470]
+      # RC version branches
+      - 20[0-9][0-9]-[01][1470]-rc
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -18,6 +21,9 @@ jobs:
   changesets:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC
     steps:
       - uses: actions/checkout@v3
         with:
@@ -25,26 +31,25 @@ jobs:
 
       - uses: ./.github/workflows/actions/prepare
 
+      - name: Update npm to latest
+        run: npm install -g npm@latest
+
       - id: changesets
         name: Create release Pull Request or publish to NPM
-        uses: changesets/action@06245a4e0a36c064a573d4150030f5ec548e4fcc # v1.4.10
+        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
         with:
           title: Version Packages (${{ github.ref_name }})
-          publish: yarn run deploy --tag ${{ github.ref_name }}
+          publish: yarn run deploy --tag ${{ endsWith(github.ref_name, '-rc') && 'rc' || github.ref_name }} # RC publishes as `rc` tag, stable publishes as the version number
           createGithubReleases: false
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Forces OIDC authentication
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
 
       - name: Set 'latest' NPM dist tag
         if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
         run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
           for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do
             _jq() {
               echo ${pkg} | base64 --decode | jq -r ${1}