Skip to content

[FSSDK-12891] Switch npm publishing to OIDC trusted publishing#1169

Open
FarhanAnjum-opti wants to merge 5 commits into
masterfrom
farhan/FSSDK-12891-trusted-publishing
Open

[FSSDK-12891] Switch npm publishing to OIDC trusted publishing#1169
FarhanAnjum-opti wants to merge 5 commits into
masterfrom
farhan/FSSDK-12891-trusted-publishing

Conversation

@FarhanAnjum-opti

@FarhanAnjum-opti FarhanAnjum-opti commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace long-lived NPM_PUBLISH_TOKEN with OIDC trusted publishing for tokenless, more secure CI publishing
  • Upgrade actions/setup-node to v4 and Node to 22 (npm 11.5.1+ required for OIDC)
  • Add --provenance flag for supply-chain attestations
  • Add GitHub npm environment gate for deployment protection (branch restrictions + required reviewers)

Changes

Change Why
Added permissions: id-token: write, contents: read Required for GitHub to mint OIDC tokens
actions/setup-node@v3v4 Better OIDC / registry auth support
node-version: 1822 npm v11.5.1+ requires Node 22.14.0+
Added npm install -g npm@latest step Ensures npm CLI has OIDC trusted publishing support
Removed NODE_AUTH_TOKEN / NPM_PUBLISH_TOKEN references No longer needed — OIDC replaces the token
Added --provenance flag to npm publish Generates supply-chain provenance attestations
Added environment: npm Gates publish behind GitHub environment protection rules
Separated dry-run and real-publish paths --provenance is incompatible with --dry-run

Prerequisites (already done)

  • Trusted publisher configured on npmjs.com for @optimizely/optimizely-sdk
  • GitHub environment npm created with required reviewers and branch restrictions

Test plan

  • Trigger workflow_dispatch on this branch to verify OIDC handshake works (dry run)
  • After merge, do a real release to confirm end-to-end publish with provenance
  • After verifying, delete NPM_PUBLISH_TOKEN secret and switch npm package settings to "disallow tokens"

References

🤖 Generated with Claude Code

@coveralls

coveralls commented Jul 17, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 77.725%. remained the same — farhan/FSSDK-12891-trusted-publishing into master

@FarhanAnjum-opti
FarhanAnjum-opti force-pushed the farhan/FSSDK-12891-trusted-publishing branch from ef21d52 to f036634 Compare July 17, 2026 16:03
Replace long-lived NPM_PUBLISH_TOKEN with OIDC trusted publishing
for more secure, tokenless CI publishing to npm.

Workflow changes:
- Add id-token: write permission for OIDC token generation
- Move permissions to workflow level (add packages: write for GHR)
- Add GitHub environment gate (npm) for deployment protection
- Upgrade setup-node to v4 and Node to 22 (npm 11.5.1+ requirement)
- Add npm upgrade step to ensure OIDC support
- Remove NPM_PUBLISH_TOKEN from npm publish step (OIDC replaces it)

publish.sh changes:
- Make NODE_AUTH_TOKEN optional in curl lookup (public packages
  don't need auth for registry reads)
- Add --provenance flag for npm registry publishes (supply-chain
  attestations, not supported by GHR)

GHR publish step is unchanged — still uses GITHUB_TOKEN.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@FarhanAnjum-opti
FarhanAnjum-opti force-pushed the farhan/FSSDK-12891-trusted-publishing branch from f036634 to 89d0741 Compare July 17, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants