Skip to content

Replace npm token auth with OIDC trusted publishing #656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Replace npm token auth with OIDC trusted publishing #656

Copilot wants to merge 16 commits into from
+169 −15

Conversation

Copy link

Copilot AI commented Jan 6, 2026
edited
Loading

npm classic tokens were revoked as of December 2025. This updates the CI workflow to use OIDC trusted publishing for npm package publishing.

Changes

  • Add id-token: write permission for OIDC authentication
  • Add registry-url: 'https://registry.npmjs.org' to actions/setup-node in publish jobs
  • Replace JS-DevTools/npm-publish action with direct npm publish CLI command
  • Use Node.js 22.x in publish jobs (bundled npm v11.x has OIDC trusted publishing support)
  • Move dependabot exclusion checks to job-level if conditions

Required Setup

Configure trusted publisher on npmjs.com for this package:

  • Repository: SolidOS/solid-ui
  • Workflow filename: ci.yml
Original prompt

On ci.yml, Please update this configuration to replace use of token based authentication with OIDC session management

https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 6, 2026 13:34
@jeswr
Replace npm token auth with OIDC trusted publishing
dfc2638 
Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com>
@jeswr
Fix trailing whitespace in ci.yml
c737309 
Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com>
Copilot AI changed the title [WIP] Update ci.yml for OIDC session management Replace npm token auth with OIDC trusted publishing Jan 6, 2026
Copilot AI requested a review from jeswr January 6, 2026 13:36
@jeswr
Copy link

jeswr commented Jan 6, 2026

@copilot please update the workflow to use the npm cli directly as shown in https://docs.npmjs.com/trusted-publishers and remove the use of the JS-DevTools action

@jeswr jeswr mentioned this pull request Jan 6, 2026
Closed
Copilot AI and others added 2 commits January 6, 2026 13:57
@jeswr
Use npm CLI directly instead of JS-DevTools action
e7878f9 
Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com>
@jeswr
Pin npm version to ^11.5.1 for OIDC support
af3d10a 
Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com>
Copy link
Author

Copilot AI commented Jan 6, 2026
edited
Loading

@copilot please update the workflow to use the npm cli directly as shown in https://docs.npmjs.com/trusted-publishers and remove the use of the JS-DevTools action

Updated to use npm publish directly instead of JS-DevTools action. The workflow now installs npm v11.5.1+ (required for OIDC support) and calls npm publish --tag <tag> for both publish jobs. See commit af3d10a.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • docs.npmjs.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@jeswr
Copy link

jeswr commented Jan 6, 2026

@copilot Please use actions/setup-node rather than npm i -g npm

@jeswr
Use Node.js 22 from setup-node instead of npm install
6b3bb08 
Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com>
Copy link
Author

Copilot AI commented Jan 6, 2026

@copilot Please use actions/setup-node rather than npm i -g npm

Updated to use node-version: 22.x in actions/setup-node instead of npm i -g npm. Node.js 22 comes bundled with npm v11.x which supports OIDC trusted publishing. See commit 6b3bb08.

@jeswr jeswr mentioned this pull request Jan 7, 2026
Merged
PreciousOritsedere and others added 4 commits January 13, 2026 10:12
@PreciousOritsedere
update workflow for npm trusted publishing
7ef6381
@PreciousOritsedere
Merge branch 'main' into copilot/update-ci-yml-auth-method
fd452ce
@PreciousOritsedere
added a dry-run publish step to verify OIDC authentication on PRs bef…
5579241 
…ore merging
@PreciousOritsedere
What I've updated in the workflow
40beb81 
Added steps to clear npm token configuration
Changed the verification to warn instead of fail (so you can see the issue)
Added instructions in the logs about removing the secret
@PreciousOritsedere PreciousOritsedere marked this pull request as ready for review January 13, 2026 11:08
Copilot AI review requested due to automatic review settings January 13, 2026 11:08
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CI workflow to use OIDC trusted publishing for npm package publishing, replacing deprecated npm classic token authentication that was revoked in December 2025.

Changes:

  • Migrated from token-based authentication (NPM_TOKEN secret) to OIDC trusted publishing for npm
  • Updated Node.js versions to 22.x and 24.x to support npm v10+ with OIDC capabilities
  • Added extensive verification and debugging steps to ensure OIDC authentication works correctly

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/ci.yml Added OIDC permissions, registry URL configuration, token cleanup steps, and replaced JS-DevTools/npm-publish action with direct npm publish CLI commands
package.json Simplified repository URL format by removing git+ prefix

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/ci.yml Outdated
Comment on lines 86 to 101
- name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC
run: |
# Remove any .npmrc file that might contain token auth
if [ -f "$HOME/.npmrc" ]; then
echo "Found .npmrc at $HOME/.npmrc, checking for token auth..."
if grep -q "_authToken" "$HOME/.npmrc"; then
echo "Removing token auth from .npmrc..."
sed -i '/_authToken/d' "$HOME/.npmrc" || true
fi
fi
# Clear npm config token settings
npm config delete //registry.npmjs.org/:_authToken || true
npm config delete _authToken || true
# Note: NODE_AUTH_TOKEN env var from secrets will still be available
# but npm should prefer OIDC when configured correctly
echo "Cleared npm token configuration"
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step manipulates npm configuration files and settings to work around potential conflicts with OIDC. The extensive token cleanup logic is duplicated in both publish jobs and suggests the workflow might be fighting against the environment setup. Consider removing the NODE_AUTH_TOKEN secret from the repository instead of working around it in the workflow.

Copilot uses AI. Check for mistakes.
.github/workflows/ci.yml Outdated
Comment on lines 107 to 131
- name: Verify OIDC authentication
run: |
echo "Workflow name: ${{ github.workflow }}"
echo "Workflow file: ${{ github.workflow_ref }}"
echo "Repository: ${{ github.repository }}"
echo "Ref: ${{ github.ref }}"
echo "Actor: ${{ github.actor }}"
echo "Event name: ${{ github.event_name }}"
# Check if NODE_AUTH_TOKEN is set (from repository secrets)
if [ -n "$NODE_AUTH_TOKEN" ]; then
echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository"
echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret"
echo "from repository Settings > Secrets and variables > Actions"
echo ""
echo "For now, we'll try to work around it by clearing npm config..."
# Don't exit - try to work around it
else
echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)"
fi
# Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC)
if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work"
else
echo "✓ OIDC token request token is available"
fi
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extensive verification steps for OIDC authentication (lines 107-235) are duplicated in both npm-publish-build and npm-publish-latest jobs. Consider extracting this logic into a reusable composite action or a shared shell script to reduce duplication and improve maintainability.

Copilot uses AI. Check for mistakes.
.github/workflows/ci.yml
Comment on lines 163 to 173
- name: Test npm publish (dry-run) - PRs only
if: github.event_name == 'pull_request'
run: |
echo "Testing npm publish authentication with dry-run..."
echo "This verifies OIDC authentication works without actually publishing"
npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || {
echo "ERROR: npm publish dry-run failed"
echo "This indicates OIDC authentication is not working correctly"
exit 1
}
echo "✓ npm publish dry-run succeeded - OIDC authentication is working!"
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dry-run test will fail on pull requests because OIDC authentication tokens are only issued for trusted events (push to main, tags, etc.), not for pull_request events. This check should either be removed or the condition should be adjusted to skip it for pull requests, as OIDC authentication cannot be verified in PR contexts.

Suggested change
- name: Test npm publish (dry-run) - PRs only
if: github.event_name == 'pull_request'
run: |
echo "Testing npm publish authentication with dry-run..."
echo "This verifies OIDC authentication works without actually publishing"
npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || {
echo "ERROR: npm publish dry-run failed"
echo "This indicates OIDC authentication is not working correctly"
exit 1
}
echo "✓ npm publish dry-run succeeded - OIDC authentication is working!"
- name: Skip npm publish dry-run on PRs (OIDC not available)
if: github.event_name == 'pull_request'
run: |
echo "Skipping npm publish dry-run on pull_request events."
echo "OIDC tokens are only issued for trusted events (e.g., push to main, tags, workflow_dispatch),"
echo "so npm publish authentication cannot be verified in PR contexts."
echo "This step is intentionally a no-op for pull requests."

Copilot uses AI. Check for mistakes.
.github/workflows/ci.yml Outdated
Comment on lines 196 to 210
run: |
# Remove any .npmrc file that might contain token auth
if [ -f "$HOME/.npmrc" ]; then
echo "Found .npmrc at $HOME/.npmrc, checking for token auth..."
if grep -q "_authToken" "$HOME/.npmrc"; then
echo "Removing token auth from .npmrc..."
sed -i '/_authToken/d' "$HOME/.npmrc" || true
fi
fi
# Clear npm config token settings
npm config delete //registry.npmjs.org/:_authToken || true
npm config delete _authToken || true
# Note: NODE_AUTH_TOKEN env var from secrets will still be available
# but npm should prefer OIDC when configured correctly
echo "Cleared npm token configuration"
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This token cleanup logic is duplicated from the npm-publish-build job (lines 86-101). Extract this into a reusable composite action or shell script to eliminate the duplication.

Suggested change
run: |
# Remove any .npmrc file that might contain token auth
if [ -f "$HOME/.npmrc" ]; then
echo "Found .npmrc at $HOME/.npmrc, checking for token auth..."
if grep -q "_authToken" "$HOME/.npmrc"; then
echo "Removing token auth from .npmrc..."
sed -i '/_authToken/d' "$HOME/.npmrc" || true
fi
fi
# Clear npm config token settings
npm config delete //registry.npmjs.org/:_authToken || true
npm config delete _authToken || true
# Note: NODE_AUTH_TOKEN env var from secrets will still be available
# but npm should prefer OIDC when configured correctly
echo "Cleared npm token configuration"
run: .github/scripts/clear-npm-token.sh

Copilot uses AI. Check for mistakes.
@bourgeoa
Copy link
Contributor

bourgeoa commented Jan 13, 2026
edited
Loading

@PreciousOritsedere @jeswr
did you try npm publish --access public this should avoid the creation of NODE_AUTH_TOKEN by. NPM
See https://dev.to/zhangjintao/from-deprecated-npm-classic-tokens-to-oidc-trusted-publishing-a-cicd-troubleshooting-journey-4h8b

@PreciousOritsedere
Copy link

PreciousOritsedere commented Jan 13, 2026

https://dev.to/zhangjintao/from-deprecated-npm-classic-tokens-to-oidc-trusted-publishing-a-cicd-troubleshooting-journey-4h8b

Thank you, let me try this now

@PreciousOritsedere
- Added script verification ste
10d1bef 
- Added --access public flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeswr jeswr Awaiting requested review from jeswr

Assignees

@jeswr jeswr

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jeswr @bourgeoa @PreciousOritsedere