Configure trusted publishing

[Strift]

Pull Request

What does this PR do?

• Update the publish.yml workflow to allow generating OIDC tokens

PR checklist

Please check if your PR fulfills the following requirements:

• Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)?
• Have you read the contributing guidelines?
• Have you made sure that the title is accurate and descriptive of the changes?

Thank you so much for contributing to Meilisearch!

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration for improved security and consistency.

---

Note: This release contains no changes visible to end-users. Updates were made to internal infrastructure only.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: a43c11f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "@meilisearch/geo-playground" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

[coderabbitai]

Warning

Rate limit exceeded

@Strift has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 1 minutes and 37 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between fbc37af and a43c11f.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (1 hunks)

Walkthrough

This is a configuration update to the GitHub Actions publish workflow. Single-quoted branch patterns are converted to double-quoted strings, a permissions block is added at the top level granting id-token write and contents read access, and the Node.js version string is normalized to double quotes.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow Configuration .github/workflows/publish.yml	Normalize branch pattern quotes to double-quoted strings, add top-level permissions block (id-token: write, contents: read), and normalize Node.js version string quoting to "18.x"

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Straightforward quote normalization and configuration-only changes with no logic modifications

Poem

🐰 Quotes now consistent, permissions aligned,
A workflow refined, with care redesigned,
Single to double, the pattern takes flight,
Our tokens protected, permissions just right! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'Configure trusted publishing' directly relates to the main change: updating the publish.yml workflow with OIDC token generation permissions for trusted publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 547b558 and fbc37af.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

7-9: Quote normalization is safe.

Converting single to double quotes in YAML branch patterns and the node-version string is a stylistic consistency improvement with no functional impact.

Also applies to: 25-25

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

changesets/action OIDC trusted publishing npm support

💡 Result:

Short answer: changesets/action does not yet support npm Trusted Publishing / OIDC. The action still expects an NPM_TOKEN (secret) for publishing; there is an open feature request to add Trusted‑Publishing / OIDC support. [1][2][3]

What to do now (concise):

• Use a separate publish job that uses npm's Trusted Publishing (OIDC) flow (give workflow permission id-token: write and run npm@>=11.5.1 or an action that supports OIDC). Example actions and docs show using OIDC instead of a stored NPM_TOKEN. [3][4]

Sources:

• changesets/action README (publishing uses NPM_TOKEN secret). [1]
• changesets/action issues — open feature request “Support Trusted Publishing”. [2]
• npm Trusted Publishing / OIDC docs (how to configure OIDC publish and required workflow permissions). [3]
• Example npm-publish action docs showing OIDC/trusted-publishing usage (omit token when trusted publishing is configured). [4]

---

OIDC permissions are correctly scoped, but the workflow cannot currently use them.

The permissions block properly enables OIDC token generation with id-token: write and restricts repository access with contents: read. However, changesets/action@v1 does not yet support npm Trusted Publishing / OIDC—it still requires NPM_TOKEN secrets. The permissions alone will not enable OIDC in this workflow.

The workflow should either:

1. Await OIDC support in changesets/action (open feature request), or
2. Replace the changesets/action publish step with a separate job using an OIDC-compatible action (e.g., npm@>=11.5.1 or a dedicated npm-publish action that supports Trusted Publishing).

Currently, the NPM_TOKEN secrets (lines 11, 36, 44) remain the only authentication mechanism for publishing.

[curquiza]

@Strift can you check what we can do with changeset please? 😊

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[Strift]

@coderabbitai review the changes to workflow structure

[coderabbitai]

@Strift, here's my review of the workflow structure changes:

Workflow Structure Analysis

✅ Good Structural Elements

1. Clear Job Separation: The workflow maintains two distinct jobs with well-defined responsibilities:

   • version-packages: Handles versioning using changesets (Node 18.x)
   • publish-packages: Handles building and publishing (Node 24.x)

2. Permissions Block: The new top-level permissions block is correctly positioned and scoped:

   • id-token: write enables OIDC token generation
   • contents: read provides minimal repository access
   • Applies to both jobs in the workflow

3. Branch Triggers: Double-quoted branch patterns maintain the same filtering logic (main, pre-release-beta, beta, prototype-beta)

⚠️ Structural Concerns

1. No Job Dependencies: The two jobs appear to run in parallel with no explicit ordering. Consider if publish-packages should depend on version-packages:

   publish-packages:
     needs: version-packages
     name: Publish Packages

2. Missing OIDC Configuration: While the permissions enable OIDC token generation, the workflow lacks the configuration to actually use it:

   • No .npmrc setup for provenance
   • No --provenance flag in the publish command
   • Still relies on NODE_AUTH_TOKEN from secrets (line 11)
   • The yarn release command needs to be configured to use OIDC instead of the token

3. Incomplete OIDC Migration: The workflow appears to be in a hybrid state:

   • OIDC permissions are enabled
   • But traditional NPM_TOKEN authentication is still configured
   • The publishing mechanism may not actually use the OIDC token

💡 Recommendations

To complete the OIDC/trusted publishing migration:

1. Configure npm for provenance in the publish job:

   - name: Setup .npmrc for provenance
     run: |
       echo "provenance=true" >> .npmrc

2. Verify yarn release is configured to use npm >= 11.5.1 or properly configured for OIDC

3. Consider removing NODE_AUTH_TOKEN once OIDC is fully configured (npm will automatically use OIDC tokens when available)

4. Add job dependencies if versioning should complete before publishing

The structural foundation for OIDC is in place, but the workflow needs additional configuration to actually leverage trusted publishing.

[flevi29]

According to the AI this might not work, but I'll approve it for now.

[Strift]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.