ci(release): drop token plumbing — OIDC trusted publishers only#120
Merged
stackbilt-admin merged 1 commit intomainfrom Apr 18, 2026
Merged
ci(release): drop token plumbing — OIDC trusted publishers only#120stackbilt-admin merged 1 commit intomainfrom
stackbilt-admin merged 1 commit intomainfrom
Conversation
Root cause of the v0.12.0 E404 on adf: actions/setup-node's
registry-url option writes ~/.npmrc with
`//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}`, which makes
npm CLI prefer token auth for the PUT request — even with
--provenance flag and trusted publishers configured for the
package. With NPM_TOKEN now revoked on the account side, the
token string is dead, the publish PUT returns 404 (npm's stealth
rejection for unauthorized write).
Fix:
1. Drop `registry-url` from setup-node — prevents .npmrc generation.
2. Drop `NODE_AUTH_TOKEN` env from the publish step — nothing reads it.
With neither present, npm CLI sees `id-token: write` +
`--provenance` + trusted publisher configured on each package,
and uses OIDC for both provenance signing AND publish auth.
The NPM_TOKEN repo secret becomes irrelevant after this change
and can be deleted in a follow-up PR.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
stackbilt-admin
pushed a commit
that referenced
this pull request
Apr 18, 2026
The prior fix (#120) removed token plumbing expecting npm's `--provenance` flag to drive OIDC-based publish auth. It doesn't — `--provenance` only signs attestations via OIDC. Publish auth via OIDC for trusted publishers requires **npm 11.5.1+**, which is newer than what setup-node bundles with Node 20 (currently ~10.x). Result: v0.12.0 publish returned ENEEDAUTH — the CLI had no token (correct end state) but didn't know how to use OIDC for auth. Fix: install npm@latest globally before the publish step. 11.12.1 as of 2026-04-18 has first-class trusted-publisher OIDC auth. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
stackbilt-admin
added a commit
that referenced
this pull request
Apr 18, 2026
The prior fix (#120) removed token plumbing expecting npm's `--provenance` flag to drive OIDC-based publish auth. It doesn't — `--provenance` only signs attestations via OIDC. Publish auth via OIDC for trusted publishers requires **npm 11.5.1+**, which is newer than what setup-node bundles with Node 20 (currently ~10.x). Result: v0.12.0 publish returned ENEEDAUTH — the CLI had no token (correct end state) but didn't know how to use OIDC for auth. Fix: install npm@latest globally before the publish step. 11.12.1 as of 2026-04-18 has first-class trusted-publisher OIDC auth. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Root cause found for the v0.12.0
E404on@stackbilt/adf: the workflow's token plumbing was short-circuiting the OIDC flow that trusted publishers require.actions/setup-node'sregistry-url: 'https://registry.npmjs.org'option writes~/.npmrcwith//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}.--provenanceand trusted publishers configured on every package.NPM_TOKENnow revoked at the account level (per trusted-publisher migration), the token string is a dead value. npm's stealth 404 for unauthorized writes is what we've been seeing.Change
Two deletions from
.github/workflows/release.yml:registry-url: 'https://registry.npmjs.org'removed fromactions/setup-node— stops.npmrcgeneration.env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}removed from the "Publish to npm" step — nothing reads it.With both gone, npm CLI sees
id-token: write+--provenance+ trusted publisher configured per package, and uses OIDC for both provenance signing AND publish auth. This is the end-state trusted publishers are designed for.Why this is the right fix (not "regenerate the token")
Trusted publishers exist specifically to eliminate long-lived tokens from CI. Keeping the token plumbing as belt-and-braces was defensive but actively harmful here —
.npmrc's_authTokentakes precedence over OIDC regardless of--provenance.Test plan
gh workflow run release.yml -f tag=v0.12.0— idempotent, nothing published yet for 0.12.0.@stackbilt/*packages publish via OIDC at 0.12.0.NPM_TOKENrepo secret viagh secret delete NPM_TOKEN --repo Stackbilt-dev/charter.Related
npm publish --provenancestill needed the.npmrcto be absent.🤖 Generated with Claude Code