Skip to content

fix(release) skip npm auth pre-check for OIDC trusted publishing#23

Merged
indexzero merged 1 commit intomainfrom
fix/odic
Apr 14, 2026
Merged

fix(release) skip npm auth pre-check for OIDC trusted publishing#23
indexzero merged 1 commit intomainfrom
fix/odic

Conversation

@indexzero
Copy link
Copy Markdown
Owner

@indexzero indexzero commented Apr 14, 2026
edited
Loading

What

Adds "skipChecks": true to the npm section of .release-it.json.

Why

release-it runs npm whoami as a pre-flight check before publishing. Under OIDC trusted publishing, no static auth token exists — the token is generated during npm publish --provenance via the GitHub Actions OIDC provider. The pre-check fails because it runs before the token exchange happens. Skipping it lets the publish step handle authentication at the right time.

Risk Assessment

Low risk. Single config addition. The npm registry still validates credentials during the actual publish step.

References

@indexzero @claude
fix(release) skip npm auth pre-check for OIDC trusted publishing
6228065 
release-it runs `npm whoami` before publishing, which fails under
OIDC because the auth token is only available during `npm publish
--provenance`. Skip the pre-flight check so the OIDC token exchange
happens at publish time as designed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@indexzero indexzero merged commit 7b70150 into main Apr 14, 2026
4 of 5 checks passed
@indexzero indexzero mentioned this pull request Apr 14, 2026
Merged
@indexzero indexzero deleted the fix/odic branch April 14, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@indexzero