Skip to content

fix(release): enable npm trusted publishing (OIDC) on main to match stable branches#242

Open
cipolleschi wants to merge 1 commit into
mainfrom
fix/main-release-oidc
Open

fix(release): enable npm trusted publishing (OIDC) on main to match stable branches#242
cipolleschi wants to merge 1 commit into
mainfrom
fix/main-release-oidc

Conversation

@cipolleschi

Copy link
Copy Markdown
Contributor

Ports the release workflow fixes proven out on 0.87-stable so that future stable branches cut from main publish successfully via npm trusted publishing.

What changed in release.yaml

  • Add permissions: id-token: write (OIDC token exchange) + contents: write (push the bump commit/tag).
  • Bump actions/setup-node@v4.0.0@v6. v4 predates OIDC support and writes a placeholder NODE_AUTH_TOKEN that makes npm attempt token auth (→ E404/ENEEDAUTH) instead of OIDC.
  • package-manager-cache: false (docs-recommended; avoids leaking the short-lived OIDC token via a poisoned cache).

registry-url and environment: npm-publish were already present. package.json already has the repository field (required for provenance) via #241.

This is the complete diff vs 0.87-stable

release.yaml was the only difference between main and 0.87-stable across all workflows + scripts; nightly.yaml, scripts/, and the package.json repository field were already identical.

⚠️ Follow-ups (not in this PR)

  1. Every new stable branch still needs its own npm trusted-publisher entry matching release.yaml + environment npm-publish (npm allows only one trusted publisher per package, so it must be re-pointed/created per release line).
  2. nightly.yaml still publishes with NODE_AUTH_TOKEN: secrets.NPM_TOKEN — see PR discussion; needs a decision since npm allows only one trusted publisher per package.

…anches

Ports the working release setup from 0.87-stable so branches cut from main start correct:
- add permissions: id-token: write (OIDC) + contents: write (push commit/tag)
- bump actions/setup-node@v4.0.0 -> @v6 (older versions write a placeholder NODE_AUTH_TOKEN that defeats OIDC, causing E404/ENEEDAUTH)
- package-manager-cache: false (avoid leaking the short-lived OIDC token)

package.json already has the repository field (needed for provenance) via #241.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant