chore: add OIDC authentication for npm in release workflow #53
Conversation
|
| - name: Enable Corepack | ||
| run: corepack enable |
There was a problem hiding this comment.
dev: per our offline discussion with @causaly-mark this is not needed anymore
| #!/usr/bin/env sh | ||
| . "$(dirname -- "$0")/_/husky.sh" |
There was a problem hiding this comment.
dev: the following screenshot explains why these lines have been removed
| @@ -1 +1 @@ | |||
| 20.13.0 | |||
There was a problem hiding this comment.
dev: upgrade to what is soon to be the latest LTS
There was a problem hiding this comment.
Pull Request Overview
This PR updates the GitHub Actions release workflow to use OpenID Connect (OIDC) authentication with npm instead of classic npm tokens, aligning with npm's security recommendations. The changes also modernize the Node.js version configuration.
- Replaces NPM_TOKEN secret-based authentication with OIDC authentication
- Updates Node.js version from 20.13.0 to 24
- Simplifies the Husky commit-msg hook
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .nvmrc | Updates Node.js version from 20.13.0 to 24 |
| .husky/commit-msg | Removes shebang and Husky setup lines, keeping only the commitlint command |
| .github/workflows/release.yml | Adds OIDC permissions, removes NPM_TOKEN environment variables, and configures npm registry URL |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| publish: npm run release | ||
| commit: 'chore: version packages' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.CHANGESET_RELEASE_TOKEN }} |
There was a problem hiding this comment.
The OIDC authentication requires the NODE_AUTH_TOKEN environment variable to be set for npm publishing. Add NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to the env block, or if using provenance-based OIDC publishing without a token, ensure the changesets/action@v1 is configured to use OIDC authentication properly.
| GITHUB_TOKEN: ${{ secrets.CHANGESET_RELEASE_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.CHANGESET_RELEASE_TOKEN }} | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
| #!/usr/bin/env sh | ||
| . "$(dirname -- "$0")/_/husky.sh" | ||
|
|
||
| npx --no -- commitlint --edit ${1} |
There was a problem hiding this comment.
Removing the shebang line makes this script non-executable. The file needs #!/usr/bin/env sh at the top to be directly executable by Git hooks.
jmike
changed the title
Add OIDC authentication for npm, based on https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow. This is an attempt to move away from npm classic tokens per https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
The relevant changes have been made on the npm side (see below).