Skip to content

[WIP] Fix automated release failures from main branch #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lirantal merged 3 commits into from
Jan 23, 2026
Merged

[WIP] Fix automated release failures from main branch #35

lirantal merged 3 commits into from
Jan 23, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

Fix automated release with OIDC provenance publishing

The semantic-release workflow was failing due to invalid npm token. The npm registry has been configured with trusted publishing using OIDC, requiring updates to support provenance-based publishing.

Changes Completed:

  • Update .github/workflows/main.yml to add OIDC permissions and configure provenance
    • Added id-token: write permission for OIDC authentication
    • Added contents: write, issues: write, pull-requests: write permissions for semantic-release
    • Configured registry-url: 'https://registry.npmjs.org' in setup-node action
    • Removed NPM_TOKEN dependency (OIDC handles authentication automatically)
  • Update package.json to configure semantic-release npm plugin with provenance option
    • Enabled provenance: true in @semantic-release/npm plugin
    • Explicitly set npmPublish: true for clarity
  • Test and validate the changes
    • Validated package.json is valid JSON ✓
    • Validated workflow YAML syntax ✓
    • Code review completed with no issues ✓
    • CodeQL security scan completed with no alerts ✓

How This Fixes the Issue:

  1. OIDC Authentication: The id-token: write permission allows GitHub Actions to generate OIDC tokens that npm trusts
  2. Provenance Publishing: The provenance: true setting enables npm to verify package authenticity via the OIDC flow
  3. No More NPM_TOKEN: The workflow no longer needs a manually configured NPM_TOKEN secret since OIDC provides automatic authentication

When semantic-release runs on the main branch, it will now use GitHub's OIDC provider to authenticate with npm and publish with provenance attestations.

Original prompt

This section details on the original issue you should resolve

<issue_title>The automated release is failing 🚨</issue_title>
<issue_description>## 🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two Factor Authentication for your account, set its level to "Authorization only" in your account settings. semantic-release cannot publish with the default "
Authorization and writes" level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

<agent_instructions>What is needed to resolve this? likely we need to publish with provenance and update the package.json and/or the publish scripts/workflows?

I have already updated the npm registry with setting up trusted publishing for this package:
Trusted Publisher
Establish a trust between your package and your repository using OpenID Connect (OIDC).
Learn more about OpenID Connect.

lirantal/create-node-lib
main.yml</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@lirantal lirantal marked this pull request as ready for review January 23, 2026 10:53
@qodo-code-review
Copy link

qodo-code-review bot commented Jan 23, 2026

PR Code Suggestions ✨

No code suggestions found for the PR.

@lirantal
feat: configure npm publishing with OIDC provenance
bf48b47 
Co-authored-by: lirantal <316371+lirantal@users.noreply.github.com>
Copilot AI requested a review from lirantal as a code owner January 23, 2026 10:54
@lirantal
refactor: remove NPM_TOKEN dependency for OIDC authentication
5210414 
Co-authored-by: lirantal <316371+lirantal@users.noreply.github.com>
@lirantal lirantal merged commit 4450205 into main Jan 23, 2026
9 checks passed
@lirantal lirantal deleted the copilot/fix-automated-release-issues branch January 23, 2026 10:56
Copilot AI restored the copilot/fix-automated-release-issues branch January 23, 2026 10:56
Copilot AI requested a review from lirantal January 23, 2026 10:56
Copilot stopped work on behalf of lirantal due to an error January 23, 2026 10:56
The session was cancelled by the user.
Copilot AI mentioned this pull request Jan 23, 2026
Merged
github-actions bot pushed a commit that referenced this pull request Jan 23, 2026
@semantic-release-bot
chore(release): 2.9.3 [skip ci]
a561837 
## [2.9.3](v2.9.2...v2.9.3) (2026-01-23)

### Bug Fixes

* add prepare script to template for Husky initialization ([#33](#33)) ([4ff841d](4ff841d))
* add publishConfig to package.json ([13fd5cf](13fd5cf))
* fix automated release failures from main branch ([#35](#35)) ([4450205](4450205))
* Fix JSON formatting in package.json ([2532548](2532548))
* nest semantic-release plugins in release config for OIDC provenance ([#37](#37)) ([afbcecd](afbcecd))
* npm publishing ([00bd030](00bd030))
* out of sync package lock ([a5400dc](a5400dc))
* update deep deps ([49fdbae](49fdbae))
@github-actions
Copy link

github-actions bot commented Jan 23, 2026

🎉 This PR is included in version 2.9.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lirantal lirantal Awaiting requested review from lirantal lirantal is a code owner

Assignees

@lirantal lirantal

Copilot code review Copilot

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The automated release is failing 🚨

2 participants

@lirantal