Skip to content

Trusted publishers #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JonoPrest merged 2 commits into from
Mar 27, 2026
Merged

Trusted publishers #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b4d5a79
Fix trusted publishing: upgrade to Node 24 for npm 11.x OIDC support
JasoonS Mar 27, 2026
e5c8f19
Add repository.url to all package.json files for provenance validation
JasoonS Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/publish_to_npm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,9 +286,10 @@ jobs:
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: 22
node-version: 24
check-latest: true
cache: yarn
registry-url: 'https://registry.npmjs.org'
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

How to configure npm trusted publishers with GitHub Actions OIDC authentication?

💡 Result:

To configure npm trusted publishers with GitHub Actions OIDC authentication, follow these steps: 1. Ensure your package exists on npmjs.com (you cannot create new packages with OIDC; publish once manually with a token if needed). 2. Configure the trusted publisher on npmjs.com: - Go to https://www.npmjs.com/package/YOUR_PACKAGE/settings (or /access tab). - In "Trusted Publisher" section, select GitHub Actions. - Enter: - Owner: Your GitHub username or organization. - Repository: Repository name (without owner). - Workflow filename: e.g., publish.yml (must be in .github/workflows/, include .yml or .yaml extension). - Environment: Optional, e.g., 'npm' (must match workflow if used). - Save. Each package needs its own configuration; only one per package. Alternatively, use CLI (npm v11.10+): npm trust github --file publish.yml --repo owner/repo --env npm. 3. Update your GitHub Actions workflow (.github/workflows/publish.yml): name: Publish on: push: tags: ['v*'] # Or release: types: [created] permissions: id-token: write # Required for OIDC contents: read jobs: publish: runs-on: ubuntu-latest environment: npm # Optional, match npm config steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '24' # npm 11.5.1+ required; Node 24 includes it registry-url: 'https://registry.npmjs.org' - run: npm ci - run: npm run build # If needed - run: npm publish --provenance # Or set "publishConfig": {"provenance": true} in package.json - Do NOT set NODE_AUTH_TOKEN or registry-url with token; OIDC handles auth. - Use Node 24+ or install npm@latest. - Ensure package.json has "repository" field matching GitHub repo. 4. Remove any old NPM_TOKEN secrets. 5. Test by pushing a tag (e.g., git tag v1.0.1; git push --tags). Notes: - Requires npm CLI 11.5.1+ in workflow. - Automatically generates provenance attestation. - For monorepos, configure per package.

Citations:

🏁 Script executed:

# Find and view the publish_to_npm.yaml file
git ls-files | grep -i "publish.*npm"

Repository: enviodev/hypersync-client-node

Length of output: 111

🏁 Script executed:

# View the workflow file around the relevant lines
sed -n '280,320p' .github/workflows/publish_to_npm.yaml

Repository: enviodev/hypersync-client-node

Length of output: 915

🏁 Script executed:

# Check the permissions section at the top of the workflow
head -n 30 .github/workflows/publish_to_npm.yaml

Repository: enviodev/hypersync-client-node

Length of output: 687

Add --provenance flag and remove authentication env variable for OIDC trusted publishers.

The registry-url and id-token: write permission are correctly configured for OIDC, but the publish step needs two changes:

  1. Add the --provenance flag (required for npm trusted publishers with OIDC)
  2. Remove the env block—OIDC handles authentication automatically; GITHUB_TOKEN will not work with npm's registry
Required fix for npm OIDC trusted publishers 
       - name: Publish
-        run: npm publish --access public
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm publish --access public --provenance
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish_to_npm.yaml at line 292, Update the publish step
to support OIDC trusted publishers by adding the --provenance flag to the npm
publish command and removing the explicit env authentication (remove the env:
GITHUB_TOKEN block) so OIDC can authenticate automatically; ensure the workflow
still retains the registry-url: 'https://registry.npmjs.org' and the id-token:
write permission but do not set GITHUB_TOKEN for the publish step.

- name: Install dependencies
run: yarn install
- name: Download all artifacts
Expand Down
8 changes: 6 additions & 2 deletions npm/darwin-arm64/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,9 @@
},
"os": [
"darwin"
]
}
],
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
}
}
8 changes: 6 additions & 2 deletions npm/darwin-x64/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,9 @@
},
"os": [
"darwin"
]
}
],
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
}
}
8 changes: 6 additions & 2 deletions npm/linux-arm64-gnu/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,9 @@
],
"libc": [
"glibc"
]
}
],
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
}
}
8 changes: 6 additions & 2 deletions npm/linux-x64-gnu/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,9 @@
],
"libc": [
"glibc"
]
}
],
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
}
}
8 changes: 6 additions & 2 deletions npm/linux-x64-musl/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,9 @@
],
"libc": [
"musl"
]
}
],
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
}
}
4 changes: 4 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@
"x86_64-apple-darwin"
]
},
"repository": {
"type": "git",
"url": "https://github.com/enviodev/hypersync-client-node"
},
"license": "MIT",
"devDependencies": {
"@napi-rs/cli": "3.5.0",
Expand Down
Loading