Skip to content

feat: use NPM's trusted publishers which generates a token with OIDC#13

Merged
cdunster merged 1 commit into
mainfrom
use-npm-trusted-publishers
Jun 8, 2026
Merged

feat: use NPM's trusted publishers which generates a token with OIDC#13
cdunster merged 1 commit into
mainfrom
use-npm-trusted-publishers

Conversation

@cdunster

@cdunster cdunster commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Remove the setting of the token so OIDC is used to generate a trusted token instead.

@cdunster
feat: use NPM's trusted publishers which generates a token with OIDC
c13ccc6 
Remove the setting of the token so OIDC is used to generate a trusted
token instead.
@cdunster cdunster self-assigned this Jun 8, 2026
@cocogitto-bot

cocogitto-bot Bot commented Jun 8, 2026

Copy link
Copy Markdown

✔️ c13ccc6 - Conventional commits check succeeded.

@coderabbitai

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b5b3ba22-0145-4518-8c50-99519a5d348d

📥 Commits

Reviewing files that changed from the base of the PR and between 72db114 and c13ccc6.

📒 Files selected for processing (1)
  • .github/workflows/nodejs-publish-release.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/nodejs-publish-release.yml

Walkthrough

The pull request modifies the Node.js publish release workflow to remove explicit NPM token authentication. The workflow deletes the NPM_TOKEN secret from the workflow inputs and removes the corresponding NODE_AUTH_TOKEN environment variable in the publish step. The npm publish command retains the --provenance flag, which authenticates using GitHub's OpenID Connect (OIDC) token instead of a separate secret credential.

Suggested reviewers

  • ThetaSinner
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: switching from explicit NPM_TOKEN to OIDC-based trusted publishers for npm authentication.
Description check ✅ Passed The description is directly related to the changeset, explaining the rationale for removing the token and using OIDC instead.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch use-npm-trusted-publishers

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cdunster cdunster enabled auto-merge (rebase) June 8, 2026 14:53
@cdunster cdunster requested a review from a team June 8, 2026 14:53
@cdunster cdunster merged commit 39965a6 into main Jun 8, 2026
4 checks passed
@cdunster cdunster deleted the use-npm-trusted-publishers branch June 8, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThetaSinner ThetaSinner ThetaSinner approved these changes

Assignees

@cdunster cdunster

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cdunster @ThetaSinner