Switch to npm trusted publishing (OIDC)

ochafik · claude · ochafik · commit c7b7bc7f566a · 2025-12-09T00:32:44.000+01:00
- Remove NPM_TOKEN secret requirement from npm-publish workflow - Uses OIDC for authentication (more secure, no long-lived tokens) - Update CONTRIBUTING.md with trusted publisher setup instructions 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -45,7 +45,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
-    environment: release
+    environment: Release
     needs: [build, test]
 
     permissions:
@@ -80,6 +80,6 @@ jobs:
             echo "tag=" >> $GITHUB_OUTPUT
           fi
 
+      # Uses OIDC trusted publishing - no NPM_TOKEN needed
+      # Configure at: https://www.npmjs.com/package/@modelcontextprotocol/ext-apps/access
       - run: npm publish --provenance --access public ${{ steps.npm-tag.outputs.tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -60,16 +60,21 @@ Please review our [Security Policy](SECURITY.md) for reporting security vulnerab
 
 ### Repository Setup
 
-Before publishing releases, ensure the following are configured:
+This repository uses [npm trusted publishing](https://docs.npmjs.com/trusted-publishers/) with OIDC - no secrets required.
 
-1. **NPM_TOKEN secret**: Add an npm automation token to the repository secrets
-   - Go to Settings � Secrets and variables � Actions
-   - Create a new secret named `NPM_TOKEN`
-   - Value: an npm automation token with publish permissions for `@modelcontextprotocol/ext-apps`
+Before publishing releases, ensure the following are configured:
 
-2. **`release` environment** (optional): Create a protected environment for additional safeguards
-   - Go to Settings � Environments � New environment
-   - Name it `release`
+1. **Trusted publisher on npm**: Configure the package to trust this GitHub repository
+   - Go to https://www.npmjs.com/package/@modelcontextprotocol/ext-apps/access
+   - Under "Trusted Publishers", click "Add trusted publisher"
+   - Select "GitHub Actions"
+   - Repository: `modelcontextprotocol/ext-apps`
+   - Workflow filename: `npm-publish.yml`
+   - Environment: `Release` (optional, for additional protection)
+
+2. **`Release` environment** (optional): Create a protected environment for additional safeguards
+   - Go to Settings > Environments > New environment
+   - Name it `Release`
    - Add required reviewers or other protection rules as needed
 
 ### Publishing a Release
