Skip to content

feat: add npm OIDC trusted publishing support#561

Closed
GarthDB wants to merge 2 commits intochangesets:mainfrom
GarthDB:feat/oidc-trusted-publishing
Closed

feat: add npm OIDC trusted publishing support#561
GarthDB wants to merge 2 commits intochangesets:mainfrom
GarthDB:feat/oidc-trusted-publishing

Conversation

@GarthDB
Copy link

@GarthDB GarthDB commented Jan 24, 2026

This PR adds support for npm's OIDC-based trusted publishing, which lets you publish packages without managing long-lived NPM tokens.

What this addresses

Closes #542 and helps with #515 by enabling OIDC in the current workflow model. Related to #545 but takes a more comprehensive approach.

Changes

Added a new oidcAuth input parameter (defaults to false for backward compatibility). When enabled, the action validates your OIDC environment before trying to publish:

  • Checks you're running npm 11.5.1+ (requirement for OIDC)
  • Verifies id-token: write permission is set
  • Detects if you accidentally left NPM_TOKEN set (conflicting auth)

The implementation explicitly passes OIDC environment variables to the publish command. This is necessary because some toolchains spawn fresh shell processes, and we need to ensure the OIDC tokens reach npm even through those layers.

Testing

I've been testing this in production at Adobe (spectrum-design-data repo) and added comprehensive test coverage:

  • 9 unit tests for OIDC validation logic
  • 13 integration tests for authentication setup
  • Automated test workflow with 4 different scenarios

All 30 tests pass locally.

How to use it

permissions:
  contents: write
  pull-requests: write
  id-token: write  # This is the key addition

jobs:
  release:
    steps:
      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - run: npm install -g npm@latest  # Get npm 11.5.1+

      - uses: changesets/action@v1
        with:
          publish: yarn release
          oidcAuth: true  # Enable OIDC
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # No NPM_TOKEN needed!

You'll also need to configure trusted publishing on npmjs.com for your packages (one-time setup).

Why this approach vs PR #545

PR #545 just prevents writing undefined to .npmrc, but doesn't validate the environment or provide any feedback when things are misconfigured. This implementation validates upfront and gives you clear error messages if something's wrong, which saves a lot of debugging time.

Backward compatibility

Fully backward compatible - existing workflows using NPM_TOKEN continue to work unchanged. OIDC is opt-in via the new parameter.

@GarthDB
feat: add npm OIDC trusted publishing support
38308fd 
Add support for npm's OIDC trusted publishing, eliminating the need for
long-lived NPM_TOKEN secrets. This provides better security through
cryptographic provenance attestation and short-lived credentials.

Changes:
- Add `oidcAuth` boolean input parameter (default: false)
- Implement OIDC environment validation:
  - Check npm version >= 11.5.1
  - Verify id-token: write permission
  - Detect conflicting NPM_TOKEN
- Early authentication validation before changeset operations
- Skip .npmrc creation in OIDC mode (npm CLI auto-detects OIDC)
- Explicit environment variable passing for compatibility with
  toolchains like proto shims and moon that start fresh shells
- Maintain full backward compatibility with NPM_TOKEN authentication

Tests:
- 9 unit tests for OIDC validation
- 13 integration tests for authentication setup
- Full backward compatibility test coverage
- All tests passing (30 total)

Documentation:
- Comprehensive OIDC setup guide with prerequisites
- Migration instructions from NPM_TOKEN to OIDC
- Clear explanation of benefits and provenance attestation
- Example workflows for both authentication methods

Resolves: changesets#515
@GarthDB
test: add OIDC validation test workflow
b7f2e60
@changeset-bot
Copy link

changeset-bot bot commented Jan 24, 2026

⚠️ No Changeset found

Latest commit: b7f2e60

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@GarthDB GarthDB closed this Jan 26, 2026
@GarthDB
Copy link
Author

GarthDB commented Jan 26, 2026

After some further tests, I made a better pr with #562

@GarthDB GarthDB deleted the feat/oidc-trusted-publishing branch January 26, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Trusted Publishing

1 participant

@GarthDB