Skip to content

Migrate npm publish to trusted publishers (OIDC)#113

Merged
JustWalters merged 5 commits intomasterfrom
feature/npm-trusted-publishers
Mar 5, 2026
Merged

Migrate npm publish to trusted publishers (OIDC)#113
JustWalters merged 5 commits intomasterfrom
feature/npm-trusted-publishers

Conversation

@JustWalters
Copy link
Copy Markdown
Contributor

@JustWalters JustWalters commented Mar 3, 2026
edited
Loading

Summary

  • https://docs.npmjs.com/trusted-publishers
  • Removes ENVOY_NPM_AUTOMATION_TOKEN secret dependency in favor of npm trusted publishing via OIDC (id-token: write)
  • Adds workflow_dispatch trigger for manual testing before merge
  • Upgrades to Node 24 (ships with npm 11.5.1+ required for trusted publishing)
  • Removes --tag beta so releases publish to latest
  • Fixes deprecated ::set-output$GITHUB_OUTPUT
  • GitHub Packages publish step is unchanged (still uses GITHUB_TOKEN)

Test plan

  • Trigger the workflow manually via Actions tab (workflow_dispatch) to verify OIDC auth works
  • Confirm provenance attestation appears on the published package on npmjs.com
  • Merge and verify next release publishes correctly to latest

🤖 Generated with Claude Code

JustWalters and others added 4 commits March 3, 2026 14:56
@JustWalters @claude
Migrate npm publish to trusted publishers (OIDC)
ac50de4 
Removes the ENVOY_NPM_AUTOMATION_TOKEN secret dependency in favor of
npm trusted publishing via OIDC. Adds workflow_dispatch for manual
testing. Also upgrades to Node 24, drops --tag beta, and fixes
deprecated ::set-output syntax.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Add packages: write permission for GitHub Packages publish
91d79b5 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Skip npm publish step on workflow_dispatch
b08234c 
Prevents 409 failures when manually triggering for testing purposes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters @claude
Remove workflow_dispatch and release guard added for testing
5dd57f6 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters JustWalters marked this pull request as ready for review March 3, 2026 21:23
@JustWalters JustWalters requested a review from Copilot March 3, 2026 21:23
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5dd57f6f65

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the npm publish workflow to npm Trusted Publishers (OIDC) to remove reliance on long-lived npm automation tokens, while updating the release publishing behavior.

Changes:

  • Add id-token: write and adjust job permissions to support OIDC-based npm publishing.
  • Upgrade the publish workflow to Node 24 and modernize outputs (::set-output$GITHUB_OUTPUT).
  • Publish releases without the beta dist-tag (publishing to latest) for both npmjs and GitHub Packages.
Comments suppressed due to low confidence (1)

.github/workflows/package.yaml:23

  • Minor robustness: redirecting to $GITHUB_OUTPUT is safer when quoted (e.g., >> "$GITHUB_OUTPUT") in case the path ever contains spaces or special characters.
          echo "version=$(node --version)" >> $GITHUB_OUTPUT

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JustWalters @claude
Skip publish steps for pre-release GitHub releases
19f2808 
Both npm and GitHub Packages publishes are skipped when a release is
marked as pre-release. Use publish-rc-manual.yaml for internal RC builds.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JustWalters JustWalters requested a review from Copilot March 3, 2026 21:40
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JustWalters JustWalters requested review from a team March 3, 2026 21:47
@JustWalters JustWalters merged commit 9611ad8 into master Mar 5, 2026
8 checks passed
@JustWalters JustWalters deleted the feature/npm-trusted-publishers branch March 5, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@ryanflynndev ryanflynndev ryanflynndev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JustWalters @ryanflynndev