Skip to content

OIDC trusted publishing#1971

Merged
hshoff merged 2 commits intomasterfrom
hshoff-oidc
Nov 11, 2025
Merged

OIDC trusted publishing#1971
hshoff merged 2 commits intomasterfrom
hshoff-oidc

Conversation

@hshoff
Copy link
Member

@hshoff hshoff commented Nov 11, 2025

🏠 Internal

  • Enable OIDC trusted publishing with provenance for npm packages
  • Add package name comments to trigger full publish for OIDC testing

Related

@hshoff hshoff added this to the 4.0.0 milestone Nov 11, 2025
@hshoff hshoff requested a review from Copilot November 11, 2025 16:52
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables OIDC trusted publishing for npm packages by configuring GitHub Actions to use OpenID Connect authentication instead of npm tokens, improving security and eliminating the need for manual token management.

Key changes:

  • Added --provenance flag to lerna publish command for build attestation
  • Configured GitHub Actions workflow with required OIDC permissions (id-token: write)
  • Removed npm token-based authentication in favor of OIDC
  • Added package name comments to all package index files to trigger a full publish for OIDC testing

Reviewed Changes

Copilot reviewed 39 out of 39 changed files in this pull request and generated no comments.

File Description
scripts/performRelease/performLernaRelease.ts Added --provenance flag to lerna publish command to generate build attestation
.github/workflows/push.yml Added OIDC permissions, removed npm token authentication, fixed typo in comment
packages/visx-*/src/index.ts (40 files) Added package name comments to trigger full publish for testing

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link

github-actions bot commented Nov 11, 2025

Size Changes

Package Diff ESM Prev ESM CJS Prev CJS
visx-annotation +0.1% 19.18 KB 19.16 KB 23.2 KB 23.2 KB
visx-axis +0.1% 13.05 KB 13.03 KB 17.71 KB 17.71 KB
visx-bounds +1.2% 1.46 KB 1.44 KB 1.87 KB 1.87 KB
visx-brush +0.0% 41.01 KB 41 KB 42.97 KB 42.97 KB
visx-chord +0.8% 1.86 KB 1.84 KB 2.62 KB 2.62 KB
visx-clip-path +1.3% 1.47 KB 1.45 KB 2.65 KB 2.65 KB
visx-curve +4.5% 351 B 336 B 2.53 KB 2.53 KB
visx-delaunay +1.2% 1.43 KB 1.41 KB 2.43 KB 2.43 KB
visx-drag +0.2% 8.84 KB 8.83 KB 10.77 KB 10.77 KB
visx-event +0.4% 3.46 KB 3.45 KB 5.13 KB 5.13 KB
visx-geo +0.2% 7.87 KB 7.86 KB 11.4 KB 11.4 KB
visx-glyph +0.2% 7.02 KB 7.01 KB 11.15 KB 11.15 KB
visx-gradient +0.3% 6.71 KB 6.69 KB 11.31 KB 11.31 KB
visx-grid +0.1% 9.37 KB 9.35 KB 12.59 KB 12.59 KB
visx-group +3.1% 499 B 484 B 1.01 KB 1.01 KB
visx-heatmap +0.5% 3.41 KB 3.39 KB 4.46 KB 4.46 KB
visx-hierarchy +0.2% 8.44 KB 8.42 KB 13.14 KB 13.14 KB
visx-legend +0.1% 14.45 KB 14.44 KB 20.27 KB 20.27 KB
visx-marker +0.4% 3.73 KB 3.72 KB 5.98 KB 5.98 KB
visx-mock-data +0.0% 318.01 KB 317.99 KB 322.98 KB 322.98 KB
visx-network +0.6% 2.99 KB 2.97 KB 4.99 KB 4.99 KB
visx-pattern +0.2% 7.18 KB 7.16 KB 10.08 KB 10.08 KB
visx-point +2.0% 776 B 761 B 1.86 KB 1.86 KB
visx-react-spring +0.3% 8.49 KB 8.47 KB 10.75 KB 10.75 KB
visx-responsive +0.2% 8.83 KB 8.81 KB 11.24 KB 11.24 KB
visx-sankey +0.6% 2.44 KB 2.42 KB 3.8 KB 3.8 KB
visx-scale +0.1% 18.38 KB 18.36 KB 30.19 KB 30.19 KB
visx-shape +0.0% 50.59 KB 50.58 KB 72.87 KB 72.87 KB
visx-stats +0.2% 9.03 KB 9.02 KB 10.44 KB 10.44 KB
visx-text +0.2% 5.81 KB 5.8 KB 7.28 KB 7.28 KB
visx-threshold +0.9% 2.02 KB 2 KB 2.69 KB 2.69 KB
visx-tooltip +0.2% 8.96 KB 8.94 KB 13.35 KB 13.35 KB
visx-visx +0.9% 1.5 KB 1.49 KB 3.91 KB 3.91 KB
visx-voronoi +1.3% 1.27 KB 1.25 KB 2.04 KB 2.04 KB
visx-wordcloud +1.0% 1.94 KB 1.92 KB 2.92 KB 2.92 KB
visx-xychart +0.0% 122.18 KB 122.16 KB 151.95 KB 151.95 KB
visx-zoom +0.1% 12.21 KB 12.19 KB 14.49 KB 14.49 KB

Compared to master. File sizes are unminified and ungzipped.

View raw build stats

Previous (master)

{
  "visx-annotation": {
    "esm": 19623,
    "lib": 23755
  },
  "visx-axis": {
    "esm": 13345,
    "lib": 18132
  },
  "visx-bounds": {
    "esm": 1476,
    "lib": 1915
  },
  "visx-brush": {
    "esm": 41979,
    "lib": 44001
  },
  "visx-chord": {
    "esm": 1886,
    "lib": 2683
  },
  "visx-clip-path": {
    "esm": 1488,
    "lib": 2713
  },
  "visx-curve": {
    "esm": 336,
    "lib": 2594
  },
  "visx-delaunay": {
    "esm": 1448,
    "lib": 2489
  },
  "visx-demo": {
    "esm": 0,
    "lib": 0
  },
  "visx-drag": {
    "esm": 9039,
    "lib": 11025
  },
  "visx-event": {
    "esm": 3533,
    "lib": 5257
  },
  "visx-geo": {
    "esm": 8044,
    "lib": 11674
  },
  "visx-glyph": {
    "esm": 7177,
    "lib": 11421
  },
  "visx-gradient": {
    "esm": 6854,
    "lib": 11581
  },
  "visx-grid": {
    "esm": 9578,
    "lib": 12892
  },
  "visx-group": {
    "esm": 484,
    "lib": 1030
  },
  "visx-heatmap": {
    "esm": 3473,
    "lib": 4564
  },
  "visx-hierarchy": {
    "esm": 8620,
    "lib": 13458
  },
  "visx-legend": {
    "esm": 14783,
    "lib": 20754
  },
  "visx-marker": {
    "esm": 3806,
    "lib": 6120
  },
  "visx-mock-data": {
    "esm": 325619,
    "lib": 330728
  },
  "visx-network": {
    "esm": 3041,
    "lib": 5105
  },
  "visx-pattern": {
    "esm": 7332,
    "lib": 10317
  },
  "visx-point": {
    "esm": 761,
    "lib": 1901
  },
  "visx-react-spring": {
    "esm": 8675,
    "lib": 11009
  },
  "visx-responsive": {
    "esm": 9021,
    "lib": 11514
  },
  "visx-sankey": {
    "esm": 2482,
    "lib": 3894
  },
  "visx-scale": {
    "esm": 18804,
    "lib": 30918
  },
  "visx-shape": {
    "esm": 51794,
    "lib": 74614
  },
  "visx-stats": {
    "esm": 9234,
    "lib": 10690
  },
  "visx-text": {
    "esm": 5939,
    "lib": 7453
  },
  "visx-threshold": {
    "esm": 2045,
    "lib": 2758
  },
  "visx-tooltip": {
    "esm": 9156,
    "lib": 13672
  },
  "visx-vendor": {
    "esm": 2974,
    "lib": 3226
  },
  "visx-visx": {
    "esm": 1524,
    "lib": 3999
  },
  "visx-voronoi": {
    "esm": 1281,
    "lib": 2088
  },
  "visx-wordcloud": {
    "esm": 1968,
    "lib": 2995
  },
  "visx-xychart": {
    "esm": 125096,
    "lib": 155595
  },
  "visx-zoom": {
    "esm": 12485,
    "lib": 14835
  }
}

Current

{
  "visx-annotation": {
    "esm": 19643,
    "lib": 23755
  },
  "visx-axis": {
    "esm": 13359,
    "lib": 18132
  },
  "visx-bounds": {
    "esm": 1493,
    "lib": 1915
  },
  "visx-brush": {
    "esm": 41994,
    "lib": 44001
  },
  "visx-chord": {
    "esm": 1901,
    "lib": 2683
  },
  "visx-clip-path": {
    "esm": 1507,
    "lib": 2713
  },
  "visx-curve": {
    "esm": 351,
    "lib": 2594
  },
  "visx-delaunay": {
    "esm": 1466,
    "lib": 2489
  },
  "visx-demo": {
    "esm": 0,
    "lib": 0
  },
  "visx-drag": {
    "esm": 9053,
    "lib": 11025
  },
  "visx-event": {
    "esm": 3548,
    "lib": 5257
  },
  "visx-geo": {
    "esm": 8057,
    "lib": 11674
  },
  "visx-glyph": {
    "esm": 7192,
    "lib": 11421
  },
  "visx-gradient": {
    "esm": 6872,
    "lib": 11581
  },
  "visx-grid": {
    "esm": 9592,
    "lib": 12892
  },
  "visx-group": {
    "esm": 499,
    "lib": 1030
  },
  "visx-heatmap": {
    "esm": 3490,
    "lib": 4564
  },
  "visx-hierarchy": {
    "esm": 8639,
    "lib": 13458
  },
  "visx-legend": {
    "esm": 14799,
    "lib": 20754
  },
  "visx-marker": {
    "esm": 3822,
    "lib": 6120
  },
  "visx-mock-data": {
    "esm": 325638,
    "lib": 330728
  },
  "visx-network": {
    "esm": 3058,
    "lib": 5105
  },
  "visx-pattern": {
    "esm": 7349,
    "lib": 10317
  },
  "visx-point": {
    "esm": 776,
    "lib": 1901
  },
  "visx-react-spring": {
    "esm": 8697,
    "lib": 11009
  },
  "visx-responsive": {
    "esm": 9041,
    "lib": 11514
  },
  "visx-sankey": {
    "esm": 2498,
    "lib": 3894
  },
  "visx-scale": {
    "esm": 18819,
    "lib": 30918
  },
  "visx-shape": {
    "esm": 51809,
    "lib": 74614
  },
  "visx-stats": {
    "esm": 9249,
    "lib": 10690
  },
  "visx-text": {
    "esm": 5953,
    "lib": 7453
  },
  "visx-threshold": {
    "esm": 2064,
    "lib": 2758
  },
  "visx-tooltip": {
    "esm": 9173,
    "lib": 13672
  },
  "visx-vendor": {
    "esm": 2974,
    "lib": 3226
  },
  "visx-visx": {
    "esm": 1538,
    "lib": 3999
  },
  "visx-voronoi": {
    "esm": 1298,
    "lib": 2088
  },
  "visx-wordcloud": {
    "esm": 1987,
    "lib": 2995
  },
  "visx-xychart": {
    "esm": 125113,
    "lib": 155595
  },
  "visx-zoom": {
    "esm": 12499,
    "lib": 14835
  }
}

@hshoff hshoff merged commit 2e34caf into master Nov 11, 2025
7 checks passed
@hshoff hshoff deleted the hshoff-oidc branch November 11, 2025 17:09
hshoff
hshoff commented Nov 11, 2025
View reviewed changes
scripts/performRelease/performLernaRelease.ts
// --no-verify-access is needed because the CI token isn't valid for that endpoint
`npx lerna publish ${version} --exact --yes --dist-tag ${distTag}`,
// --provenance generates build attestation when using OIDC in GitHub Actions
`npx lerna publish ${version} --exact --yes --dist-tag ${distTag} --provenance`,
Copy link
Member Author

@hshoff hshoff Nov 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--provenance breaks release script and is unnecessary. I missed this detail in the blog post

Fixed in #1972

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

alpha-release 🏠 internal

Projects

None yet

Milestone

4.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@hshoff