Skip to content

ci: switch npm publish to OIDC trusted publishing (removes NPM_TOKEN) #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
27Bslash6 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

ci: switch npm publish to OIDC trusted publishing (removes NPM_TOKEN) #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions .github/workflows/build-native.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,19 +170,20 @@ jobs:
working-directory: packages/cachekit-core-ts
run: ls -la npm/*/

- name: Publish platform packages
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish steps.
- name: Upgrade npm for OIDC
run: npm install -g npm@latest
Comment on lines +173 to +176
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the build-native.yml file to understand the full context
cat -n .github/workflows/build-native.yml | head -180 | tail -30

Repository: cachekit-io/cachekit-ts

Length of output: 1346

🏁 Script executed:

# Check the Node version being used in the workflow
rg -A 5 -B 5 "node-version" .github/workflows/build-native.yml

Repository: cachekit-io/cachekit-ts

Length of output: 1226

🏁 Script executed:

# Look for release-please.yml file
find .github -name "*release*" -type f

Repository: cachekit-io/cachekit-ts

Length of output: 104

🏁 Script executed:

# Now let's check release-please.yml for similar patterns
cat -n .github/workflows/release-please.yml | grep -A 5 -B 5 "npm"

Repository: cachekit-io/cachekit-ts

Length of output: 1082

🏁 Script executed:

# Let's also search for any npm version specifications in the entire .github directory
rg "npm@" .github/

Repository: cachekit-io/cachekit-ts

Length of output: 217

🏁 Script executed:

# Check if there are any other references to npm installation or OIDC
rg "OIDC|trusted.*publish" .github/workflows/ -i

Repository: cachekit-io/cachekit-ts

Length of output: 691

🌐 Web query:

npm trusted publishing OIDC version requirement Node 22

💡 Result:

To use npm trusted publishing with OpenID Connect (OIDC), you must meet specific version requirements for both the npm CLI and Node.js. As of May 2026, official documentation requires npm CLI version 11.5.1 or later and Node.js version 22.14.0 or higher [1][2]. While some earlier versions of Node.js 22 may not include a compatible version of the npm CLI by default, you can satisfy the requirement by explicitly updating npm within your CI/CD workflow using the command npm install -g npm@latest [3][2]. If you are unable to update the npm CLI, you may encounter authentication errors, such as silent failures or 404 errors, because older versions of the npm client do not correctly handle the OIDC handshake [4]. In summary, ensure your environment uses: - npm CLI: 11.5.1 or later [1][3][2] - Node.js: 22.14.0 or later [1][2] Additionally, your CI/CD workflow must be configured with the necessary OIDC permissions (e.g., id-token: write for GitHub Actions) to generate the required tokens [1][5][6].

Citations:

Pin npm versions in both publish workflows instead of using @latest.

Lines 173-176 in build-native.yml and lines 82-85 in release-please.yml both upgrade npm using npm install -g npm@latest. For OIDC trusted publishing on Node 22, npm 11.5.1+ is required. Using @latest makes release workflows depend on future npm versions rather than a known-compatible baseline. Pin to a specific version (e.g., npm@11.5.1) to ensure deterministic, reproducible releases and prevent unexpected breakage from major npm updates.

♻️ Proposed changes

build-native.yml (lines 173-176):

-      - name: Upgrade npm for OIDC
-        run: npm install -g npm@latest
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@11.5.1

release-please.yml (lines 82-85):

-      - name: Upgrade npm for OIDC
-        run: npm install -g npm@latest
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@11.5.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish steps.
- name: Upgrade npm for OIDC
run: npm install -g npm@latest
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish steps.
- name: Upgrade npm for OIDC
run: npm install -g npm@11.5.1
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-native.yml around lines 173 - 176, Replace the
unpinned npm upgrade step that uses "npm install -g npm@latest" in the "Upgrade
npm for OIDC" step with a pinned, known-compatible version (e.g., "npm@11.5.1")
to ensure deterministic builds; update the same step in both workflows (the
"Upgrade npm for OIDC" step in build-native.yml and the corresponding step in
release-please.yml) so the run command uses the pinned package instead of
`@latest`.


- name: Publish platform packages (OIDC trusted publisher)
working-directory: packages/cachekit-core-ts
run: |
find npm -mindepth 1 -maxdepth 1 -type d -exec npm publish {} --access public --provenance \;
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Prepare main package
working-directory: packages/cachekit-core-ts
run: npx napi prepublish -t npm --skip-gh-release

- name: Publish main package
- name: Publish main package (OIDC trusted publisher)
working-directory: packages/cachekit-core-ts
run: npm publish --access public --provenance --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
14 changes: 6 additions & 8 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,11 @@ jobs:
- name: Test
run: pnpm test

- name: Configure npm auth
run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish step.
- name: Upgrade npm for OIDC
run: npm install -g npm@latest
Comment on lines +82 to +85
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the release-please.yml file around the mentioned lines
cat -n .github/workflows/release-please.yml | sed -n '70,95p'

Repository: cachekit-io/cachekit-ts

Length of output: 828

🏁 Script executed:

# Also check if there are other workflow files with npm upgrade steps
fd '.yml$|.yaml$' .github/workflows/ --exec grep -l "npm install -g npm" {} \;

Repository: cachekit-io/cachekit-ts

Length of output: 139

🏁 Script executed:

# Let's check the complete context of the release-please.yml file to understand the structure
wc -l .github/workflows/release-please.yml

Repository: cachekit-io/cachekit-ts

Length of output: 107

🏁 Script executed:

# Check build-native.yml for npm upgrade context
grep -n -B5 -A5 "npm install -g npm" .github/workflows/build-native.yml

Repository: cachekit-io/cachekit-ts

Length of output: 589

🏁 Script executed:

# Let's verify the npm version requirements by checking if there's any documentation or package metadata
# Search for any references to npm versions in the repo
rg "11\.5\.1|npm.*version|trusted.*publish" -i --type yaml

Repository: cachekit-io/cachekit-ts

Length of output: 49

🏁 Script executed:

# Check what version of npm is bundled with Node 22
# First, let's see if there's any documentation in the repo about npm/node versions
fd -e md -e txt | xargs rg "npm|node" -i | head -20

Repository: cachekit-io/cachekit-ts

Length of output: 597

🏁 Script executed:

# Search for any existing npm version pins in the codebase
rg "npm@[0-9]" --type yaml

Repository: cachekit-io/cachekit-ts

Length of output: 49

🏁 Script executed:

# Also check package.json files for engines specifications
fd package.json -x cat -n {} | grep -i "node\|npm"

Repository: cachekit-io/cachekit-ts

Length of output: 1341

🌐 Web query:

npm OIDC trusted publishing minimum version requirement

💡 Result:

To use npm trusted publishing with OpenID Connect (OIDC), you must use npm CLI version 11.5.1 or later [1][2][3]. In addition to the CLI version requirement, official documentation specifies that Node.js version 22.14.0 or higher is required [1]. Trusted publishing allows you to publish packages directly from CI/CD environments (such as GitHub Actions or GitLab CI) without the need for long-lived npm access tokens [1][4]. To implement this, you must configure the trusted publisher settings on the npmjs.com package page and ensure your CI/CD workflow has the necessary permissions (e.g., id-token: write in GitHub Actions) to generate and exchange OIDC tokens [5][1][4]. Note that a package must typically exist on the npm registry before you can configure it for trusted publishing [6][7][8].

Citations:

Pin the npm CLI version to the documented minimum for OIDC.

Both release-please.yml (line 85) and build-native.yml (line 176) use npm@latest to upgrade npm for trusted publishing. Since OIDC publishing requires npm >= 11.5.1 (as documented in the comments), using @latest introduces unnecessary drift on a release-critical path. Pin to npm@11.5.1 in both workflows for consistency.

♻️ Proposed changes

release-please.yml:

-        run: npm install -g npm@latest
+        run: npm install -g npm@11.5.1

build-native.yml:

-        run: npm install -g npm@latest
+        run: npm install -g npm@11.5.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish step.
- name: Upgrade npm for OIDC
run: npm install -g npm@latest
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
# Node 22 ships an older npm; upgrade in-place for the publish step.
- name: Upgrade npm for OIDC
run: npm install -g npm@11.5.1
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-please.yml around lines 82 - 85, Update the GitHub
Actions step named "Upgrade npm for OIDC" to pin the npm CLI to the documented
minimum version instead of using `@latest`: change the run invocation from "npm
install -g npm@latest" to "npm install -g npm@11.5.1" (make the same change for
the identical step in build-native.yml); this ensures the OIDC publish step uses
the required npm >= 11.5.1 without introducing version drift.


- name: Publish to npm
- name: Publish to npm (OIDC trusted publisher)
working-directory: packages/cachekit
run: pnpm publish --access public --provenance --no-git-checks
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public --provenance