Skip to content

Migrate npm publish to trusted publishers (OIDC)#113

Open
JustWalters wants to merge 5 commits intomasterfrom
feature/npm-trusted-publishers
Open

Migrate npm publish to trusted publishers (OIDC)#113
JustWalters wants to merge 5 commits intomasterfrom
feature/npm-trusted-publishers

Conversation

@JustWalters
Copy link
Contributor

@JustWalters JustWalters commented Mar 3, 2026
edited
Loading

Summary

  • https://docs.npmjs.com/trusted-publishers
  • Removes ENVOY_NPM_AUTOMATION_TOKEN secret dependency in favor of npm trusted publishing via OIDC (id-token: write)
  • Adds workflow_dispatch trigger for manual testing before merge
  • Upgrades to Node 24 (ships with npm 11.5.1+ required for trusted publishing)
  • Removes --tag beta so releases publish to latest
  • Fixes deprecated ::set-output$GITHUB_OUTPUT
  • GitHub Packages publish step is unchanged (still uses GITHUB_TOKEN)

Test plan

  • Trigger the workflow manually via Actions tab (workflow_dispatch) to verify OIDC auth works
  • Confirm provenance attestation appears on the published package on npmjs.com
  • Merge and verify next release publishes correctly to latest

🤖 Generated with Claude Code

JustWalters and others added 4 commits March 3, 2026 14:56
@JustWalters @claude
Migrate npm publish to trusted publishers (OIDC)
ac50de4 
Removes the ENVOY_NPM_AUTOMATION_TOKEN secret dependency in favor of
npm trusted publishing via OIDC. Adds workflow_dispatch for manual
testing. Also upgrades to Node 24, drops --tag beta, and fixes
deprecated ::set-output syntax.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Add packages: write permission for GitHub Packages publish
91d79b5 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Skip npm publish step on workflow_dispatch
b08234c 
Prevents 409 failures when manually triggering for testing purposes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Remove workflow_dispatch and release guard added for testing
5dd57f6 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters JustWalters marked this pull request as ready for review March 3, 2026 21:23
@JustWalters JustWalters requested a review from Copilot March 3, 2026 21:23
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 3, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5dd57f6f65

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/package.yaml
- run: npm publish --tag beta --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.ENVOY_NPM_AUTOMATION_TOKEN }}
- run: npm publish --access public
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add provenance flag to npm trusted publish

This publish command uses OIDC but omits --provenance, so npm will publish without generating a provenance attestation even though this migration is explicitly targeting trusted publishing. I verified CLI semantics via npm publish --help (where --provenance is optional) and npm config get provenance (default false), so in this workflow the release can succeed but still miss the supply-chain metadata expected from trusted publishers.

Useful? React with 👍 / 👎.

Copy link
Contributor Author

@JustWalters JustWalters Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.npmjs.com/trusted-publishers#automatic-provenance-generation

When you publish using trusted publishing, npm automatically generates and publishes provenance attestations for your package. This happens by default—you don't need to add the --provenance flag to your publish command.

https://www.npmjs.com/package/@envoy/envoy-integrations-sdk/v/2.5.1#provenance
image

Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the npm publish workflow to npm Trusted Publishers (OIDC) to remove reliance on long-lived npm automation tokens, while updating the release publishing behavior.

Changes:

  • Add id-token: write and adjust job permissions to support OIDC-based npm publishing.
  • Upgrade the publish workflow to Node 24 and modernize outputs (::set-output$GITHUB_OUTPUT).
  • Publish releases without the beta dist-tag (publishing to latest) for both npmjs and GitHub Packages.
Comments suppressed due to low confidence (1)

.github/workflows/package.yaml:23

  • Minor robustness: redirecting to $GITHUB_OUTPUT is safer when quoted (e.g., >> "$GITHUB_OUTPUT") in case the path ever contains spaces or special characters.
          echo "version=$(node --version)" >> $GITHUB_OUTPUT

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/package.yaml
- run: npm publish --tag beta --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.ENVOY_NPM_AUTOMATION_TOKEN }}
- run: npm publish --access public
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description calls out verifying provenance attestation, but the publish command doesn’t explicitly enable provenance generation. To avoid relying on npm’s default behavior (which can change across npm versions), consider making it explicit via npm publish --provenance ... or setting NPM_CONFIG_PROVENANCE=true for the publish step.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@JustWalters JustWalters Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with relying on default behavior here.

@JustWalters @claude
Skip publish steps for pre-release GitHub releases
19f2808 
Both npm and GitHub Packages publishes are skipped when a release is
marked as pre-release. Use publish-rc-manual.yaml for internal RC builds.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters JustWalters requested a review from Copilot March 3, 2026 21:40
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JustWalters JustWalters requested review from a team March 3, 2026 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@ryanflynndev ryanflynndev ryanflynndev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JustWalters @ryanflynndev