feat(plugin-npm): support OIDC auth for CircleCI#7075
Merged
arcanis merged 3 commits intoyarnpkg:masterfrom Mar 30, 2026
Merged
feat(plugin-npm): support OIDC auth for CircleCI#7075arcanis merged 3 commits intoyarnpkg:masterfrom
arcanis merged 3 commits intoyarnpkg:masterfrom
Conversation
blimmer
force-pushed
the
circleci-oidc-support
branch
2 times, most recently
from
670a26b to
37a015d
Compare
blimmer
commented
Mar 15, 2026
| @@ -0,0 +1,3 @@ | |||
| releases: | |||
| "@yarnpkg/cli": minor | |||
| "@yarnpkg/plugin-npm": minor | |||
Contributor
Author
There was a problem hiding this comment.
This is my first time contributing, so please let me know if I'm missing anything here. I believe we only need to update the plugin and the CLI.
|
|
||
| if (process.env.GITLAB_CI) { | ||
| idToken = process.env.NPM_ID_TOKEN || null; | ||
| } else if (process.env.CIRCLECI) { |
Contributor
Author
There was a problem hiding this comment.
Here are the docs that this is set in all CircleCI jobs: https://circleci.com/docs/reference/variables/#built-in-environment-variables
CircleCI was recently added as a supported npm trusted publisher provider. Like GitLab CI, it sets the NPM_ID_TOKEN environment variable. This adds detection of the CIRCLECI env var to enable OIDC token exchange during `yarn npm publish`. Closes yarnpkg#7074
blimmer
force-pushed
the
circleci-oidc-support
branch
from
37a015d to
55f5ad8
Compare
Contributor
Author
|
Hey @arcanis - we'd love to be able to switch from using static tokens to OIDC publishing. This is a pretty small change following the existing patterns. Any chance I could request a review on it? TYIA! |
arcanis
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's the problem this PR addresses?
CircleCI was recently added as a supported npm trusted publisher provider, but Yarn's OIDC implementation only supports GitHub Actions and GitLab CI.
The upstream npm CLI already supports CircleCI in
lib/utils/oidc.js(checkingciInfo.CIRCLE). Since Yarn's implementation was adapted from the npm CLI, it should be updated to match.Closes #7074.
How did you fix it?
Added detection of the
CIRCLECIenvironment variable ingetOidcToken(). Like GitLab CI, CircleCI sets theNPM_ID_TOKENenvironment variable, so the implementation follows the same pattern.Note: The upstream npm CLI notes that CircleCI doesn't support provenance yet, so the auto-provenance logic in #7017 / #7018 naturally skips CircleCI (no visibility env var to check).
Checklist