Skip to content

DX-2278: update release to use npm OIDC#149

Merged
CahidArda merged 6 commits intomainfrom
DX-2278-npm-release
Feb 5, 2026
Merged

DX-2278: update release to use npm OIDC#149
CahidArda merged 6 commits intomainfrom
DX-2278-npm-release

Conversation

@CahidArda
Copy link
Copy Markdown
Contributor

@CahidArda CahidArda commented Jan 30, 2026
edited
Loading

NPM OIDC Migration Instructions

Migrate npm publishing from NPM_TOKEN to npm OIDC with provenance attestation.

Prerequisites

Configure npm trusted publishers on npmjs.com:

  • Go to package settings → "Publishing access" → Add trusted publisher
  • Repository: upstash/<package-name>
  • Workflow: ci.yml (the router workflow)

Changes

1. package.json

Add repository field (required for npm provenance):

"repository": {
  "type": "git",
  "url": "git@github.com:upstash/<package-name>.git"
}

2. Create .github/workflows/ci.yml

Create a router workflow that calls tests and release workflows. npm OIDC only allows one workflow file to have publish permission, so both workflows must be called from this single router.

  • Triggers: pull_request, release.published, schedule
  • Permissions: id-token: write, contents: read
  • Jobs:
    • tests: runs on non-release events, calls tests.yaml with secrets: inherit
    • release: runs on release events, calls release.yml with prerelease: ${{ github.event.release.prerelease }} input and secrets: inherit

3. Update .github/workflows/release.yml

  • Change trigger from release.published to workflow_call with prerelease boolean input
  • Update actions/checkout to v4
  • Update actions/setup-node to v4 with node-version: 24 and add registry-url: https://registry.npmjs.org
  • Remove the "Add npm token" step that creates .npmrc
  • Add --provenance flag to all npm publish commands
  • Change prerelease condition from github.event.release.prerelease to inputs.prerelease

4. Update .github/workflows/tests.yaml

  • Change trigger from pull_request/schedule to workflow_call
  • In the CI canary release job:
    • Update actions/checkout to v4
    • Update actions/setup-node to v4 with node-version: 24 and add registry-url: https://registry.npmjs.org
    • Remove the "Add npm token" step that creates .npmrc
    • Add --provenance flag to npm publish command

5. Changes in Repo Settings on Github

  • Removed NPM_TOKEN secret
  • Checked that "Approval for running fork pull request workflows from contributors" setting in action settings is set to "Require approval for all external contributors"

Summary

Before After
NPM_TOKEN in .npmrc registry-url in setup-node
npm publish npm publish --provenance
actions/checkout@v3 actions/checkout@v4
actions/setup-node@v2/v3 actions/setup-node@v4
Node 18/20 Node 24
Direct workflow triggers workflow_call + router ci.yml

@linear
Copy link
Copy Markdown

linear bot commented Jan 30, 2026

DX-2278 SDK CIs - check npm OIDC

@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Jan 30, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ratelimit-with-vercel-kv Ready Ready Preview, Comment Feb 5, 2026 8:11am

Request Review

@CahidArda CahidArda requested a review from Copilot January 30, 2026 15:03
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the npm release workflow from traditional token-based authentication to OIDC (OpenID Connect) authentication, following npm's trusted publishers documentation. The change enhances security by eliminating the need to store long-lived npm tokens as secrets.

Changes:

  • Add OIDC permissions (id-token: write and contents: read) to enable GitHub Actions OIDC authentication
  • Update GitHub Actions to newer versions (checkout@v4, setup-node@v4) and configure npm registry URL
  • Remove manual npm token authentication step in favor of OIDC
  • Update Node.js version from 18 to 24
Comments suppressed due to low confidence (1)

.github/workflows/release.yml:49

  • The publish steps are missing the NODE_AUTH_TOKEN environment variable required for OIDC authentication. When using registry-url with actions/setup-node for OIDC authentication, npm publish commands need to have NODE_AUTH_TOKEN set. Add the environment variable to both publish steps:

env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This environment variable tells npm to use the OIDC token generated by GitHub Actions for authentication with the npm registry.

      - name: Publish release candidate
        if: "github.event.release.prerelease"
        run: npm publish --access public --tag=canary --no-git-checks

      - name: Publish
        if: "!github.event.release.prerelease"
        run: npm publish --access public --no-git-checks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

alitariksahin
alitariksahin previously approved these changes Feb 2, 2026
View reviewed changes
@CahidArda CahidArda requested a review from Copilot February 5, 2026 05:58
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

CahidArda added a commit to upstash/qstash-js that referenced this pull request Feb 5, 2026
@CahidArda
feat: use npm OIDC
6ab504e 
for more details, see upstash/ratelimit-js#149
@CahidArda CahidArda mentioned this pull request Feb 5, 2026
Merged
CahidArda added a commit to upstash/react-redis-browser that referenced this pull request Feb 5, 2026
@CahidArda
fix: add npm OIDC
8ad70dc 
check https://docs.npmjs.com/trusted-publishers and upstash/ratelimit-js#149 for details
@CahidArda CahidArda mentioned this pull request Feb 5, 2026
Merged
ytkimirti pushed a commit to upstash/react-redis-browser that referenced this pull request Feb 5, 2026
@CahidArda
fix: add npm OIDC (#44)
c68ee6e 
check https://docs.npmjs.com/trusted-publishers and upstash/ratelimit-js#149 for details
CahidArda added a commit to upstash/vector-js that referenced this pull request Feb 5, 2026
@CahidArda
feat: use npm OIDC
614568e 
check upstash/ratelimit-js#149 for more details
@CahidArda CahidArda mentioned this pull request Feb 5, 2026
Merged
CahidArda added a commit to upstash/workflow-js that referenced this pull request Feb 5, 2026
@CahidArda
fix: use npm OIDC
ea6c486 
Check upstash/ratelimit-js#149 for more details
@CahidArda CahidArda mentioned this pull request Feb 5, 2026
Merged
CahidArda added a commit to upstash/redis-js that referenced this pull request Feb 5, 2026
@CahidArda
fix: use npm OIDC
25b96e6 
Check upstash/ratelimit-js#149 for more details
@CahidArda CahidArda mentioned this pull request Feb 5, 2026
Merged
@CahidArda CahidArda merged commit 8db1d8d into main Feb 5, 2026
7 of 9 checks passed
CahidArda added a commit to upstash/redis-js that referenced this pull request Feb 5, 2026
@CahidArda
fix: use npm OIDC (#1408)
7d1406e 
Check upstash/ratelimit-js#149 for more details
CahidArda added a commit to upstash/workflow-js that referenced this pull request Feb 5, 2026
@CahidArda
DX-2278: use npm OIDC (#179)
2237091 
* fix: use npm OIDC

Check upstash/ratelimit-js#149 for more details

* fix: repository.url to fix provenance check

* fix: fmt
CahidArda added a commit to upstash/vector-js that referenced this pull request Feb 5, 2026
@CahidArda
DX-2278: use npm OIDC (#65)
645ef6f 
* feat: use npm OIDC

check upstash/ratelimit-js#149 for more details

* fix: await indexing in test
CahidArda added a commit to upstash/qstash-js that referenced this pull request Feb 5, 2026
@CahidArda
DX-2282: update release workflow with npm OIDC (#256)
021b1cc 
* feat: use npm OIDC

for more details, see upstash/ratelimit-js#149

* fix: add sleep between cursor requests

* fix: simplify cursor tests

* fix: flaky test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alitariksahin alitariksahin alitariksahin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CahidArda @alitariksahin