Skip to content

ci: migrate npm release to OIDC trusted publishing#68

Merged
jaredwray merged 4 commits into
mainfrom
claude/release-oidc-migration-uzhip0
Jun 21, 2026
Merged

ci: migrate npm release to OIDC trusted publishing#68
jaredwray merged 4 commits into
mainfrom
claude/release-oidc-migration-uzhip0

Conversation

@jaredwray

@jaredwray jaredwray commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Migrates the npm release workflow from a long-lived NPM_TOKEN secret to npm's OIDC trusted publishing. This removes the need to store and rotate a publish token in repository secrets — GitHub Actions exchanges a short-lived OIDC token with the npm registry at publish time.

Changes

  • Add id-token: write permission — required so the workflow can request the OIDC token used for the registry handshake.
  • Upgrade npm to latest (npm install -g npm@latest) — trusted publishing requires npm ≥ 11.5.1.
  • Drop the token auth — removed the npm config set //registry.npmjs.org/:_authToken line and the NPM_TOKEN env. npm publish now authenticates via OIDC.

Follow-up (one-time, in npm settings)

For this to work end-to-end, the package's Trusted Publisher must be configured on npmjs.com for @hyphen/browser-sdk, pointing at this repo and the release.yaml workflow. Once verified, the NPM_TOKEN secret can be deleted from the repository settings.

🤖 Generated with Claude Code

https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM

Generated by Claude Code

@claude
ci: migrate npm release to OIDC trusted publishing
9f8d468 
Replace the long-lived NPM_TOKEN secret with npm's OIDC trusted
publishing:

- Add id-token: write permission required for OIDC token exchange
- Upgrade npm to latest to ensure trusted publishing support
  (requires npm >= 11.5.1)
- Drop the _authToken config and NPM_TOKEN env; npm publish now
  authenticates to the registry via OIDC

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
@gemini-code-assist

gemini-code-assist Bot commented Jun 21, 2026

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 21, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f8d468718

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/release.yaml Outdated
@claude
build: add repository metadata for OIDC trusted publishing
9454d6c 
npm trusted publishing requires the package's repository.url to match
the GitHub repository, otherwise the OIDC publish handshake fails.
package.json had no repository field, so add repository, bugs, and
homepage pointing at Hyphen/browser-sdk.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
jaredwray
jaredwray commented Jun 21, 2026
View reviewed changes
Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/release.yaml Outdated
@claude
ci: use pnpm for release setup and publish
6ddb586 
Address review feedback to standardize on pnpm:

- Publish with pnpm publish (OIDC trusted publishing) instead of npm
- Drop the npm upgrade step; pnpm is provided by pnpm/action-setup
- Remove the redundant corepack enable step now that pnpm/action-setup
  installs pnpm

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
jaredwray
jaredwray commented Jun 21, 2026
View reviewed changes
Comment thread .github/workflows/release.yaml Outdated
@claude
ci: remove pnpm cache from setup-node
d2e7099 
Per review feedback, drop the cache: 'pnpm' option from the Node.js
setup step in the release workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
@jaredwray jaredwray merged commit 0f2f218 into main Jun 21, 2026
7 checks passed
@jaredwray jaredwray deleted the claude/release-oidc-migration-uzhip0 branch June 21, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jaredwray @claude