Skip to content

Comments

Migrate to NPM Trusted Publishers (OIDC authentication)#283

Merged
Tiberriver256 merged 3 commits intomainfrom
copilot/migrate-release-workflow-yaml
Feb 5, 2026
Merged

Migrate to NPM Trusted Publishers (OIDC authentication)#283
Tiberriver256 merged 3 commits intomainfrom
copilot/migrate-release-workflow-yaml

Conversation

Copy link
Contributor

Copilot AI commented Feb 5, 2026
edited
Loading

Replaces token-based NPM authentication with OIDC-based Trusted Publishers. Eliminates NPM_TOKEN secret management and adds provenance attestations to published packages.

Changes

Workflow (.github/workflows/release-please.yml):

  • Added --provenance flag to npm publish commands
  • Removed NODE_AUTH_TOKEN environment variable usage
  • Leverages existing id-token: write permission for OIDC

Before:

- name: Publish to npm
  run: npm publish --access public
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

After:

- name: Publish to npm
  run: npm publish --provenance --access public

Documentation:

  • Created docs/npm-trusted-publishers-migration.md with setup instructions
  • Updated docs/release-troubleshooting.md to reference OIDC authentication

Required NPM Configuration

After merge, configure the package on npmjs.com:

  1. Package settings → Publishing access → Add trusted publisher
  2. Repository: Tiberriver256/mcp-server-azure-devops
  3. Workflow: release-please.yml

See migration guide for detailed steps.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • docs.npmjs.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • github.blog
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 5, 2026 16:20
@Tiberriver256
Migrate to NPM Trusted Publishers with provenance
301e284 
Co-authored-by: Tiberriver256 <6989492+Tiberriver256@users.noreply.github.com>
@Tiberriver256
Add NPM Trusted Publishers migration guide and clean up workflow
48f56f7 
Co-authored-by: Tiberriver256 <6989492+Tiberriver256@users.noreply.github.com>
Copilot AI changed the title [WIP] Migrate release please workflow YAML to npm trusted publishers Migrate to NPM Trusted Publishers (OIDC authentication) Feb 5, 2026
Copilot AI requested a review from Tiberriver256 February 5, 2026 16:24
@Tiberriver256 Tiberriver256 marked this pull request as ready for review February 5, 2026 16:28
Copilot AI requested a deployment to external-pr-check February 5, 2026 16:28 Waiting
@Tiberriver256 Tiberriver256 merged commit 01597e9 into main Feb 5, 2026
3 of 4 checks passed
@Tiberriver256 Tiberriver256 deleted the copilot/migrate-release-workflow-yaml branch February 5, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tiberriver256 Tiberriver256 Awaiting requested review from Tiberriver256

Assignees

@Tiberriver256 Tiberriver256

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tiberriver256