Merged
Conversation
- Add OIDC permissions (id-token: write) for trusted publishing - Update actions to v4 for better provenance support - Add --provenance flag to npm publish command - Leverages NPM Trusted Publishers config set up by @jarrodek This removes the need for static NPM tokens and provides cryptographic verification of package authenticity.
alexpmule
requested review from
dfmacias,
jarrodek,
leandrogilcarrano and
spezzirriemiliano
leandrogilcarrano
approved these changes
Jan 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔐 Enable NPM Trusted Publishers (OIDC) for Secure Package Publishing
Problem
The package publishing workflow was failing with authentication errors:
Solution
Implements NPM Trusted Publishers using OpenID Connect (OIDC) authentication, which provides a more secure and maintainable approach than static tokens.
Changes Made
1. Added OIDC Permissions
This allows GitHub Actions to generate temporary, scoped tokens verified by NPM.
2. Updated Actions to v4
actions/checkout@v4(from v2)actions/setup-node@v4(from v2)These versions provide better support for provenance generation and OIDC workflows.
3. Added Provenance Flag
npm publish --provenance --access publicGenerates a cryptographic signature that proves the package was published from this repository.
Benefits
✅ Enhanced Security: Uses short-lived OIDC tokens instead of static secrets
✅ No Token Expiration: Tokens are generated automatically per workflow run
✅ Supply Chain Security: Provenance statements provide verifiable authenticity
✅ Reduced Maintenance: No need to rotate or manage NPM tokens
✅ Audit Trail: Cryptographically signed publish events
Testing Checklist
mainReferences & Documentation
NPM Trusted Publishers
GitHub Actions
Related Issues
How It Works
sequenceDiagram participant GHA as GitHub Actions participant NPM as NPM Registry GHA->>GHA: Generate OIDC token GHA->>NPM: Publish with provenance NPM->>NPM: Verify token signature NPM->>NPM: Check trusted publisher config NPM->>NPM: Validate repository match NPM-->>GHA: ✅ Publish successful NPM->>NPM: Store provenance statementPost-Merge Verification
After merging, verify the provenance on the package page:
Note: This workflow will still work with the
NPM_TOKENas a fallback if OIDC authentication is not available, but the primary authentication method is now via Trusted Publishers.cc: @jarrodek - Thanks for setting up the Trusted Publishers configuration! 🎉