chore(ci): switch publish to OIDC trusted publishing#1839
chore(ci): switch publish to OIDC trusted publishing#1839felixweinberger wants to merge 2 commits intov1.xfrom
Conversation
|
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward CI change removing token-based auth in favor of OIDC trusted publishing.
Extended reasoning...
Overview
Single-file CI change to .github/workflows/main.yml (v1.x branch). Removes registry-url from actions/setup-node and drops the NODE_AUTH_TOKEN env var from the npm publish step. The id-token: write permission was already present, so OIDC will work without additional changes.
Security risks
This change improves the security posture by eliminating the need for a long-lived NPM_TOKEN secret. OIDC trusted publishing is the recommended modern approach. No new attack surface is introduced.
Level of scrutiny
Low — this is a mechanical two-line deletion in a CI workflow. The companion PR (#1838) made the identical change to the main branch workflow.
Other factors
No bugs found. No changeset needed (CI-only change). The environment: release gate and id-token: write permission already provide the necessary constraints for OIDC to function correctly.
bhosmer-ant
left a comment
bhosmer-ant
left a comment
There was a problem hiding this comment.
Clean backport — v1.x already had id-token: write job-scoped, --provenance, and environment: release, so dropping registry-url + NODE_AUTH_TOKEN is the whole change.
One parity gap with #1838: that PR adds npm install -g npm@11.5.1 before publish (OIDC needs npm ≥11.5.1; the rationale is not depending on which Node 24 patch setup-node resolves to). This backport omits it. Fails closed if it's ever a problem, so low risk — but for consistency:
- name: Ensure npm CLI supports OIDC trusted publishing
run: npm install -g npm@11.5.1Also noting: the npm trusted-publisher config needs a second entry for v1.x (main.yml / release — different workflow filename than main's release.yml).
Review by Claude, checked by Basil.
Done. |
There was a problem hiding this comment.
LGTM — straightforward CI change mirroring #1838 on the v1.x branch.
Extended reasoning...
Overview
Single-file change to .github/workflows/main.yml that removes registry-url from actions/setup-node and NODE_AUTH_TOKEN from the publish step, replacing them with OIDC trusted publishing (pins npm@11.5.1 to ensure support). This is the v1.x companion to #1838, which has already landed on main.
Security risks
None — this change improves the security posture by removing a long-lived secret (NPM_TOKEN) in favor of short-lived OIDC tokens. The id-token: write permission was already present, and the publish job is gated behind the release environment.
Level of scrutiny
Low. This is a mechanical CI configuration change with a clear, well-understood pattern. The identical change was already reviewed and merged for the main branch (#1838).
Other factors
No bugs found by the automated review system. No outstanding reviewer comments. The change is small, self-contained, and consistent with the already-merged companion PR.
bhosmer-ant
left a comment
bhosmer-ant
left a comment
There was a problem hiding this comment.
npm-guard step added — parity with #1838. LGTM.
Review by Claude, checked by Basil.
2 participants
v1.x companion to #1838. Drops
NODE_AUTH_TOKENandregistry-url— npm CLI auto-detects GitHub Actions OIDC.id-token: writewas already present.Requires a trusted publisher configured for
@modelcontextprotocol/sdkon npmjs.com (workflowmain.yml, environmentrelease).