Skip to content

Migrate NPM publishing to OIDC trusted publishing#3949

Merged
Kaycell merged 1 commit intomasterfrom
kevin.viricel/AAWF-694/migrate-npm-oidc
Apr 16, 2026
Merged

Migrate NPM publishing to OIDC trusted publishing#3949
Kaycell merged 1 commit intomasterfrom
kevin.viricel/AAWF-694/migrate-npm-oidc

Conversation

@Kaycell
Copy link
Copy Markdown
Contributor

@Kaycell Kaycell commented Apr 15, 2026

Summary

  • Switch from classic NPM token (YARN_NPM_AUTH_TOKEN) to OIDC trusted publishing
  • Upgrade to actions/setup-node@v4 with Node 24 (required for OIDC)
  • Replace yarn publish with npm publish --provenance for provenance attestation
  • Remove stored secret dependency entirely

Context

Classic NPM tokens were revoked, breaking all publishes since April 1 (v1.54.0 + 29 sub-package releases). Trusted Publisher has been configured on npmjs.com for all 117 @datadog/datadog-api-client* packages.

Test plan

  • Merge this PR
  • Trigger a release via prepare release with generators: typescript_split_package,typescript_legacy_package
  • Verify the main package publishes successfully on npm
  • Verify sub-packages publish successfully on npm

🤖 Generated with Claude Code

@Kaycell @claude
AAWF-694: Migrate NPM publishing to OIDC trusted publishing
ea2aa66 
Switch from classic NPM token auth to OIDC trusted publishing:
- Add id-token: write permission for OIDC
- Upgrade to actions/setup-node@v4 with Node 24 and registry-url
- Replace yarn publish with npm publish --provenance
- Remove YARN_NPM_AUTH_TOKEN secret dependency

Trusted Publisher has been configured on npmjs.com for all 117
@datadog/datadog-api-client* packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Kaycell Kaycell requested review from a team as code owners April 15, 2026 23:15
Kaycell
Kaycell commented Apr 16, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml

permissions:
contents: write
id-token: write # Required for OIDC trusted publishing
Copy link
Copy Markdown
Contributor Author

@Kaycell Kaycell Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this, GitHub Actions can't generate the OIDC token that npm needs

Kaycell
Kaycell commented Apr 16, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml
with:
fetch-depth: 1
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
Copy link
Copy Markdown
Contributor Author

@Kaycell Kaycell Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub will force Node 24 in June 2026 so I took the opportunity to bump the version

Kaycell
Kaycell commented Apr 16, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml
cd $(echo $tag_name | rev | cut -d'/' -f2- | rev)
fi

yarn_major_version=$(yarn --version | cut -d'.' -f1)
Copy link
Copy Markdown
Contributor Author

@Kaycell Kaycell Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm publish is the only officially supported path for OIDC trusted publishing.

@Kaycell Kaycell changed the title AAWF-694: Migrate NPM publishing to OIDC trusted publishing Migrate NPM publishing to OIDC trusted publishing Apr 16, 2026
@Kaycell
Copy link
Copy Markdown
Contributor Author

Kaycell commented Apr 16, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 bot commented Apr 16, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-04-16 10:21:02 UTC ℹ️ Start processing command /merge

2026-04-16 10:21:09 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

2026-04-16 10:21:47 UTC ⚠️ MergeQueue: This merge request was unqueued

kevin.viricel@datadoghq.com unqueued this merge request

@Kaycell
Copy link
Copy Markdown
Contributor Author

Kaycell commented Apr 16, 2026

/remove

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 bot commented Apr 16, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-04-16 10:21:41 UTC ℹ️ Start processing command /remove

2026-04-16 10:21:45 UTC ℹ️ Devflow: /remove

@Kaycell Kaycell merged commit db9f656 into master Apr 16, 2026
26 of 28 checks passed
@Kaycell Kaycell deleted the kevin.viricel/AAWF-694/migrate-npm-oidc branch April 16, 2026 10:22
github-actions bot pushed a commit that referenced this pull request Apr 16, 2026
@Kaycell
AAWF-694: Migrate NPM publishing to OIDC trusted publishing (#3949)
d0636b1 
Switch from classic NPM token auth to OIDC trusted publishing:
- Add id-token: write permission for OIDC
- Upgrade to actions/setup-node@v4 with Node 24 and registry-url
- Replace yarn publish with npm publish --provenance
- Remove YARN_NPM_AUTH_TOKEN secret dependency

Trusted Publisher has been configured on npmjs.com for all 117
@datadog/datadog-api-client* packages.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> db9f656
This was referenced Apr 16, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nogates nogates nogates approved these changes

Assignees

No one assigned

Labels

changelog/no-changelog mergequeue-status: removed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kaycell @nogates