Skip to content

feat: migrate npm publish to OIDC authentication#2381

Merged
steebchen merged 2 commits intomainfrom
migrate-npm-oidc
Feb 6, 2026
Merged

feat: migrate npm publish to OIDC authentication#2381
steebchen merged 2 commits intomainfrom
migrate-npm-oidc

Conversation

@steebchen
Copy link
Member

@steebchen steebchen commented Feb 6, 2026

Summary

  • Replace NPM_TOKEN secret with GitHub Actions OIDC for npm publishing in the release workflow
  • Add permissions: id-token: write to enable OIDC token generation
  • Remove NODE_AUTH_TOKEN env vars from publish steps
  • Add --provenance flag to publish commands for supply chain attestation

Prerequisites

Before merging, configure trusted publishers on npmjs.com for both packages:

  1. Go to https://www.npmjs.com/package/@cartridge/controller/access → "Configure Trusted Publishers"
  2. Go to https://www.npmjs.com/package/@cartridge/connector/access → "Configure Trusted Publishers"
  3. Set repository to cartridge-gg/controller and workflow to release.yml

After this is configured, the NPM_TOKEN secret can be removed from the repository settings.

Test plan

  • Configure trusted publishers on npm for both @cartridge/controller and @cartridge/connector
  • Trigger a test release to verify OIDC authentication works
  • Verify provenance attestation appears on npm package pages
  • Remove NPM_TOKEN secret from repository settings after successful publish

🤖 Generated with Claude Code

@steebchen @claude
feat: migrate npm publish to OIDC authentication
9aa3b3e 
Replace NPM_TOKEN secret with GitHub Actions OIDC for npm publishing.
This removes the need to manage npm access tokens as repository secrets
and adds provenance attestation to published packages.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 6, 2026 11:22
@vercel
Copy link

vercel bot commented Feb 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
controller-example-next Ready Ready Preview Feb 6, 2026 2:19pm
keychain Ready Ready Preview Feb 6, 2026 2:19pm
keychain-storybook Ready Ready Preview Feb 6, 2026 2:19pm

Request Review

Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the npm publishing flow in the release pipeline from a long-lived NPM_TOKEN secret to GitHub Actions OIDC-based trusted publishing, and enables npm provenance attestations.

Changes:

  • Add GitHub Actions OIDC permissions (id-token: write) to the release workflow.
  • Remove NODE_AUTH_TOKEN usage from npm publish steps in the release workflow.
  • Add --provenance to the monorepo publish scripts used during releases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Appends --provenance to release/prerelease publish scripts to generate supply-chain attestations.
.github/workflows/release.yml Enables OIDC via permissions and removes npm token env usage during publishing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
Comment on lines 40 to 48
- name: Publish release to npm
if: ${{ github.event.pull_request.head.ref == 'prepare-release' }}
run: |
pnpm release
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish prerelease to npm
if: ${{ github.event.pull_request.head.ref == 'prepare-prerelease' }}
run: |
pnpm release:prerelease
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With workflow_dispatch enabled, this job can run without a PR context, but both publish steps are gated on github.event.pull_request.head.ref. For manual dispatch runs, these conditions evaluate false and nothing gets published to npm (while later steps still finalize the GitHub release). Consider either removing workflow_dispatch or adding dispatch inputs (e.g. release vs prerelease) and updating the if: conditions to publish when github.event_name == 'workflow_dispatch' (or based on github.ref_name).

Copilot uses AI. Check for mistakes.
.github/workflows/release.yml
Comment on lines +10 to +13
permissions:
id-token: write
contents: write

Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repo workflows consistently scope permissions at the job level (e.g. docs-sync.yml, release-dispatch.yml, claude.yml), but this workflow sets them at the top level. Keeping id-token: write scoped to just the publishing job reduces blast radius if more jobs are added later; consider moving this permissions block under jobs.publish.permissions (and defaulting workflow permissions to read).

Copilot uses AI. Check for mistakes.
@claude
Copy link
Contributor

claude bot commented Feb 6, 2026

Code Review

I found a critical issue that will prevent this PR from working as intended:

❌ Publishing will fail - npm version does not support OIDC trusted publishing

Location: .github/workflows/release.yml line 29

The workflow uses node-version: "20.x", which ships with npm 10.x. However, npm OIDC trusted publishing requires npm 11.5.0 or later (added in npm/cli#8336 in July 2025).

The Problem:

  1. This PR removes NODE_AUTH_TOKEN from the publish steps (lines 44-45, 50-51)
  2. Without NODE_AUTH_TOKEN and without OIDC support in npm 10.x, there is no authentication mechanism to publish to the npm registry
  3. The --provenance flag and id-token: write permission only enable provenance attestation (signing), not registry authentication
  4. When actions/setup-node is configured with registry-url, it creates an .npmrc with a placeholder token that will cause authentication to fail

Result: Both pnpm release and pnpm release:prerelease commands will fail with authentication errors when the workflow runs.

✅ How to Fix

Option 1 (Recommended): Upgrade to Node.js 22.x

Change line 29 in .github/workflows/release.yml:

- uses: actions/setup-node@v4
  with:
    node-version: "22.x"  # Changed from 20.x
    registry-url: "https://registry.npmjs.org/"

Node.js 22.x ships with npm 11.0+ which supports OIDC trusted publishing.

Option 2: Manually upgrade npm

Add a step after setup-node:

- uses: actions/setup-node@v4
  with:
    node-version: "20.x"
    registry-url: "https://registry.npmjs.org/"
- name: Upgrade npm
  run: npm install -g npm@latest

📚 References

Note: Make sure to configure trusted publishers on npmjs.com as mentioned in the PR description before merging.

@steebchen @claude
fix: upgrade to Node.js 22.x for npm OIDC support
7027735 
npm OIDC trusted publishing requires npm 11.5.0+, which ships with
Node.js 22.x. Node.js 20.x only includes npm 10.x which does not
support OIDC authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@steebchen steebchen merged commit c79e6ce into main Feb 6, 2026
11 checks passed
@steebchen steebchen deleted the migrate-npm-oidc branch February 6, 2026 14:26
@claude
Copy link
Contributor

claude bot commented Feb 6, 2026
edited
Loading

Claude finished @steebchen's task —— View job

Analyzing controller PR changes and updating documentation

I'll analyze the merged PR that migrated npm publishing to OIDC authentication and update the documentation accordingly.

Todo List:

  • Read the changed files to understand the migration details
  • Explore docs-repo structure to find existing documentation
  • Determine what documentation needs updates
  • Update or create documentation as needed
  • Commit and push any documentation changes

Analysis Complete:

After reviewing the PR changes and exploring the docs repository, I found:

Changes Made in Controller PR:

  • Migrated from NPM_TOKEN secret to GitHub Actions OIDC authentication
  • Added permissions: id-token: write to enable OIDC token generation
  • Removed NODE_AUTH_TOKEN environment variables from publish steps
  • Added --provenance flag for supply chain attestation
  • Updated Node.js from 20.x to 22.x (required for npm 11+ OIDC support)

Documentation Assessment:
The documentation in docs-repo is entirely user-facing and focuses on:

  • Controller SDK usage and integration examples
  • Architecture explanations for developers using the SDK
  • Slot platform services and billing
  • Arcade game development

No Documentation Updates Needed:
The OIDC migration is an internal infrastructure change that:

  • Does not affect any public APIs
  • Does not change user-facing functionality
  • Does not impact SDK usage or integration patterns
  • Is purely an operational improvement for the maintainers

The existing documentation remains accurate and complete for end users and developers integrating Controller.

Task Complete - No Changes Required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steebchen