Skip to content

chore: configure npm Trusted Publishers (OIDC) for publish workflows#975

Merged
ivanasabi merged 8 commits intomainfrom
chore/GH-974-trusted-publisher-oidc
Mar 16, 2026
Merged

chore: configure npm Trusted Publishers (OIDC) for publish workflows#975
ivanasabi merged 8 commits intomainfrom
chore/GH-974-trusted-publisher-oidc

Conversation

@ivanasabi
Copy link
Contributor

@ivanasabi ivanasabi commented Mar 12, 2026

Closes #974

Summary

Migrate npm publish authentication from static NPM_TOKEN secrets to npm Trusted Publishers (OIDC), eliminating long-lived tokens in favor of short-lived OIDC tokens automatically generated by GitHub Actions.

Changes

New unified workflow

  • Create .github/workflows/code-npm_node-publish-release-and-snapshot.yml
    • Combines the existing release and snapshot publish workflows into a single file with two jobs
    • Uses id-token: write permission for OIDC authentication (no NPM_TOKEN / NODE_AUTH_TOKEN)
    • Conditionally upgrades npm to >=11.5.1 (required for Trusted Publishing support)
    • Improved GPG signing setup (gpg-agent, loopback-pinentry, preset-passphrase)
    • Annotated + signed git tags
    • Release commit includes packages/*/package.json
    • NPM_CONFIG_PROVENANCE explicitly set to "false"

Removed workflows

  • Delete .github/workflows/code-npm_node-release.yml
  • Delete .github/workflows/code-npm_node-publish_snapshot.yml

Not affected

  • .github/workflows/code-release_preview.yml — works independently

npm/Node compatibility

  • Node.js: 22.17.1 (via code/.tool-versions)
  • Bundled npm: 10.9.2 (does NOT support OIDC)
  • Required npm: >= 11.5.1
  • Conditional upgrade step ensures npm is upgraded only when needed, avoiding downgrades if a future Node version ships with npm >= 11.5.1

References

  • Jira: OSOFFICE-280
  • Validated in: InditexTech/npm-release-testing

@ivanasabi
chore: configure npm Trusted Publishers (OIDC) for publish workflows (#…
c404958 
…974)

Migrate npm publish authentication from static NPM_TOKEN secrets to npm
Trusted Publishers (OIDC), eliminating long-lived tokens in favor of
short-lived OIDC tokens automatically generated by GitHub Actions.

- Create unified workflow combining release and snapshot publish jobs
- Use id-token: write permission for OIDC authentication
- Conditionally upgrade npm to >=11.5.1 (required for OIDC support)
- Improve GPG signing setup (gpg-agent, loopback-pinentry, preset-passphrase)
- Use annotated + signed git tags
- Include packages/*/package.json in release commits
- Set NPM_CONFIG_PROVENANCE to false
- Remove old code-npm_node-release.yml and code-npm_node-publish_snapshot.yml
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 12, 2026
View reviewed changes
@ivanasabi ivanasabi requested review from Copilot and jesusmpc March 12, 2026 17:24
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates npm publish authentication from static NPM_TOKEN secrets to npm Trusted Publishers (OIDC), combining the previously separate release and snapshot publish workflows into a single unified workflow file. This eliminates long-lived npm tokens in favor of short-lived OIDC tokens automatically generated by GitHub Actions.

Changes:

  • Created .github/workflows/code-npm_node-publish-release-and-snapshot.yml combining both publish jobs with id-token: write permissions, conditional npm upgrade to >= 11.5.1, improved GPG signing setup, and annotated/signed git tags
  • Deleted the separate .github/workflows/code-npm_node-publish_snapshot.yml and .github/workflows/code-npm_node-release.yml workflows
  • Removed all references to NPM_TOKEN/NODE_AUTH_TOKEN secrets in favor of OIDC-based authentication

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/code-npm_node-publish-release-and-snapshot.yml New unified workflow with OIDC auth, npm version upgrade, improved GPG setup, and both snapshot + release jobs
.github/workflows/code-npm_node-publish_snapshot.yml Deleted — snapshot publishing moved to the unified workflow
Comments suppressed due to low confidence (3)

.github/workflows/code-npm_node-publish-release-and-snapshot.yml:5

  • The concurrency key code-publish-${{ github.ref }} is now shared between both the publish-snapshot and release jobs. For issue_comment events, github.ref resolves to the default branch (e.g., refs/heads/main), not the PR branch. This means a snapshot publish triggered via PR comment could cancel an in-progress release job (or vice versa), since they'd share the same concurrency group code-publish-refs/heads/main.

Previously, the snapshot workflow used code-publish-snapshot-${{ github.ref }} and the release workflow used code-release-${{ github.ref }}, so they could not interfere with each other. Consider using job-level concurrency groups instead (e.g., code-publish-snapshot-... and code-publish-release-...) to restore the isolation.
.github/workflows/code-npm_node-publish-release-and-snapshot.yml:133

  • The publish-snapshot job is missing the NPM / Create Cache Folders step (mkdir -p "$HOME"/.npm) that exists in the release job (line 316-318) and was present in the old snapshot workflow. While this may not always cause a failure (the directory might already exist), it's inconsistent with the release job and could cause issues if the .npm cache directory doesn't exist.
    .github/workflows/code-npm_node-publish-release-and-snapshot.yml:185
  • The publish-snapshot job's publish step (line 180-185) does not set NPM_CONFIG_PROVENANCE: "false", unlike the release job (line 390). Since both jobs now use npm >= 11.5.1 with OIDC (id-token: write), npm may automatically attempt to generate provenance attestations during snapshot publishing. If provenance should be explicitly disabled (as stated in the PR description), this env var should be set here as well for consistency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivanasabi
fix: address review findings in publish workflow (#974)
6408357 
- Move permissions from workflow-level to job-level (SonarQube)
- Restore job-level concurrency groups to prevent snapshot/release
  interference on issue_comment events
- Add missing NPM / Create Cache Folders step to publish-snapshot job
- Add NPM_CONFIG_PROVENANCE: false to snapshot publish step
@ivanasabi ivanasabi requested a review from Copilot March 12, 2026 17:34
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivanasabi
docs: replace release workflow doc with unified workflow doc (#974)
47e1ce2 
Replace code-npm_node-release.md with code-npm_node-publish-release-and-snapshot.md
reflecting OIDC authentication, GPG signing, snapshot job, and job-level permissions.
@ivanasabi ivanasabi requested a review from Copilot March 12, 2026 17:40
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivanasabi
fix: address Copilot review findings (#974)
beba3a3 
- Restore asdf cache-hit guard on both jobs to skip install on cache hit
- Fix "Github" -> "GitHub" in release step name and error message
@ivanasabi ivanasabi requested a review from Copilot March 12, 2026 17:51
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivanasabi ivanasabi added the skip-release Skips the release creation label Mar 12, 2026
@ivanasabi
Copy link
Contributor Author

ivanasabi commented Mar 12, 2026

Proof of testing

Validated on InditexTech/npm-release-testing with the same workflow configuration:

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ivanasabi ivanasabi merged commit 49ea022 into main Mar 16, 2026
13 checks passed
@ivanasabi ivanasabi deleted the chore/GH-974-trusted-publisher-oidc branch March 16, 2026 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jesusmpc jesusmpc Awaiting requested review from jesusmpc

Assignees

@ivanasabi ivanasabi

Labels

skip-release Skips the release creation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Configure npm Trusted Publishers (OIDC) for release and snapshot workflows

3 participants

@ivanasabi @jesusmpc