Use OIDC for npm publish (#990)

jakubno · web-flow · commit 60fb009e4a8a · 2025-10-30T02:13:40.000-07:00
> [!NOTE] > Move npm publishing to OIDC by adding id-token permissions and removing NPM_TOKEN, update actions/setup-node to v6, and upgrade npm in workflows. > > - **Workflows**: > - **OIDC for npm publish**: > - Add `permissions: id-token: write` in `workflows/publish_packages.yml` and `workflows/release.yml`. > - Remove `NPM_TOKEN` secret requirement and set `NPM_TOKEN: ""` in `changesets/action` env. > - **Node/tooling updates**: > - Bump `actions/setup-node` from `v3` to `v6` and set `registry-url` where needed. > - Add step to upgrade `npm` to `^11.6` in `publish_packages.yml`. > - Keep pnpm caching/configuration and other steps intact. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 539db59. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/workflows/publish_packages.yml b/.github/workflows/publish_packages.yml
@@ -5,13 +5,12 @@ on:
     secrets:
       E2B_API_KEY:
         required: true
-      NPM_TOKEN:
-        required: true
       PYPI_TOKEN:
         required: true
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   test:
@@ -54,16 +53,22 @@ jobs:
           version: '${{ env.TOOL_VERSION_PNPM }}'
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: '${{ env.TOOL_VERSION_NODEJS }}'
+          registry-url: 'https://registry.npmjs.org'
           cache: pnpm
 
       - name: Configure pnpm
         run: |
           pnpm config set auto-install-peers true
           pnpm config set exclude-links-from-lockfile true
 
+      - name: Update npm
+        run: |
+          npm install -g npm@^11.6
+          npm --version
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
@@ -79,7 +84,7 @@ jobs:
           createGithubReleases: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: "" # See https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
       - name: Generate SDK reference
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,7 @@ on:
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 permissions:
+  id-token: write
   contents: write
 
 jobs:
@@ -32,7 +33,7 @@ jobs:
           version: '${{ env.TOOL_VERSION_PNPM }}'
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: '${{ env.TOOL_VERSION_NODEJS }}'
           registry-url: 'https://registry.npmjs.org'
@@ -80,7 +81,7 @@ jobs:
           version: '${{ env.TOOL_VERSION_PNPM }}'
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: '${{ env.TOOL_VERSION_NODEJS }}'
           registry-url: 'https://registry.npmjs.org'
