Skip to content

Comments

feat(ci): migrate to npm granular tokens and enable provenance#107

Merged
nknavkal merged 2 commits intomainfrom
feat/ci/npm-granular-token-and-provenance
Feb 20, 2026
Merged

feat(ci): migrate to npm granular tokens and enable provenance#107
nknavkal merged 2 commits intomainfrom
feat/ci/npm-granular-token-and-provenance

Conversation

@aromanoEco
Copy link
Member

@aromanoEco aromanoEco commented Feb 20, 2026

Summary

  • npm revoked all classic tokens as of Dec 2025. This updates the release workflow to work with granular access tokens and enables npm provenance attestation via OIDC.
  • Adds id-token: write permission and NPM_CONFIG_PROVENANCE: true to the release workflow
  • Enables provenance: true in the @semantic-release/npm plugin config

Required action

  • The NPM_TOKEN GitHub Actions secret must be rotated to a granular access token (created via npm token create or npmjs.com). Classic tokens no longer work.
  • Granular write tokens have a max 90-day expiry — consider setting a reminder to rotate.

Test plan

  • Rotate NPM_TOKEN secret to a granular access token on npmjs.com (with publish scope for @eco-foundation/chains)
  • Merge and verify the next release publishes successfully with provenance
  • Confirm provenance badge appears on the npm package page

🤖 Generated with Claude Code

@aromanoEco @claude
feat(ci): migrate to npm granular tokens and enable provenance
932b12b 
npm classic tokens were revoked (Dec 2025). This updates the release
workflow to support granular access tokens and enables npm provenance
attestation via OIDC for supply chain security.

- Add id-token: write permission for OIDC provenance signing
- Enable NPM_CONFIG_PROVENANCE in release step
- Enable provenance in @semantic-release/npm plugin config
- NPM_TOKEN secret must now be a granular access token (not classic)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@aromanoEco @claude
fix(ci): move provenance config to package.json publishConfig
1e26695 
provenance is not a valid @semantic-release/npm plugin option. The
correct location is publishConfig in package.json, which npm reads
directly during publish.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nknavkal nknavkal self-requested a review February 20, 2026 21:03
nknavkal
nknavkal approved these changes Feb 20, 2026
View reviewed changes
Copy link
Contributor

@nknavkal nknavkal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@nknavkal nknavkal merged commit ec6223a into main Feb 20, 2026
2 checks passed
@nknavkal nknavkal deleted the feat/ci/npm-granular-token-and-provenance branch February 20, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nknavkal nknavkal nknavkal approved these changes

@carlosfebres carlosfebres Awaiting requested review from carlosfebres carlosfebres is a code owner

@dirkpage dirkpage Awaiting requested review from dirkpage dirkpage is a code owner

@eliobricenov eliobricenov Awaiting requested review from eliobricenov eliobricenov is a code owner

@fernandofcampos fernandofcampos Awaiting requested review from fernandofcampos fernandofcampos is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aromanoEco @nknavkal