Skip to content

Update gha workflow to use OIDC when publishing to npm#44

Merged
gnakaki-vs merged 1 commit intomasterfrom
OIDC-npm-publishing
Mar 24, 2026
Merged

Update gha workflow to use OIDC when publishing to npm#44
gnakaki-vs merged 1 commit intomasterfrom
OIDC-npm-publishing

Conversation

@gnakaki-vs
Copy link
Copy Markdown
Contributor

@gnakaki-vs gnakaki-vs commented Feb 11, 2026

Switching npm publishing to use OIDC will resolve an issue where the existing access token is no longer valid while also preventing a need to manage token rotation.

@gnakaki-vs gnakaki-vs requested a review from Copilot February 11, 2026 23:00
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Switch GitHub Actions npm publishing from a long-lived npm token to OIDC-based authentication to avoid token rotation and invalidation issues.

Changes:

  • Adds id-token: write permission to enable OIDC token minting for the publish job
  • Updates workflow comments to reflect OIDC usage
  • Removes NODE_AUTH_TOKEN secret usage from npm publish

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/push.yml
@kanaka
Copy link
Copy Markdown
Collaborator

kanaka commented Feb 11, 2026

@gnakaki-vs I think you might need to force push the version tag to move it to this PR branch/commit in order to trigger the whole release process.

@gnakaki-vs
Copy link
Copy Markdown
Contributor Author

gnakaki-vs commented Feb 11, 2026
edited
Loading

Thanks for that input, @kanaka . I've updated and pushed the v2.5.8 tag.

Great to be working with you again!

@gnakaki-vs
Copy link
Copy Markdown
Contributor Author

gnakaki-vs commented Feb 12, 2026

FYI, I haven't identified the issue with OIDC yet. To unblock things, I've:

  1. Generated a new npm token and set that in conlink github.
  2. Switched the v2.5.8 release tag back to Joel's last commit.
  3. Confirmed that the conlink package was successfully updated in npm.

I'll continue to look into debugging OIDC.

@gnakaki-vs gnakaki-vs force-pushed the OIDC-npm-publishing branch from a5c28cd to c5cb407 Compare March 23, 2026 20:17
@gnakaki-vs gnakaki-vs requested a review from Copilot March 23, 2026 20:19
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/push.yml Outdated
Comment thread .github/workflows/push.yml
@gnakaki-vs gnakaki-vs force-pushed the OIDC-npm-publishing branch 2 times, most recently from d538c5d to 8a73ed2 Compare March 23, 2026 20:49
@gnakaki-vs
Copy link
Copy Markdown
Contributor Author

gnakaki-vs commented Mar 23, 2026

Updated commit based on feedback from npm support, including updated npm version. NPM publish was successful in latest GHA run.

cpkingViasat
cpkingViasat approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

@cpkingViasat cpkingViasat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

gdw2vs
gdw2vs reviewed Mar 24, 2026
View reviewed changes
Comment thread .github/workflows/push.yml Outdated
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: '20.x'
Copy link
Copy Markdown
Collaborator

@gdw2vs gdw2vs Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if we updated this to 24 (or whatever is the latest LTS), if we wouldn't need to upgrade npm below?

Copy link
Copy Markdown
Contributor Author

@gnakaki-vs gnakaki-vs Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like Node.js v24.11.0 ships with npm v11.6.1, which would still need to be updated to at least v11.6.4 to support the npm OIDC.

However, node 20 is EOL soon so I can also update that to 24 and test.

@gnakaki-vs
GHA: Bump to 2.6.4 and use OIDC when publishing to npm
63a7dac 
Switching npm publishing to use OIDC will resolve an issue where
the existing access token is no longer valid while also preventing
a need to manage token rotation. We also update node to 24.x as
20 is EOL on April 30, 2026.

Version 2.6.3 was released as an intermediate test in development.
@gnakaki-vs gnakaki-vs force-pushed the OIDC-npm-publishing branch from 8a73ed2 to 63a7dac Compare March 24, 2026 19:41
@gnakaki-vs gnakaki-vs merged commit 28ff619 into master Mar 24, 2026
16 checks passed
@gnakaki-vs gnakaki-vs deleted the OIDC-npm-publishing branch March 24, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gdw2vs gdw2vs gdw2vs approved these changes

+1 more reviewer

@cpkingViasat cpkingViasat cpkingViasat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gnakaki-vs @kanaka @gdw2vs @cpkingViasat