[npm] Add OIDC support for npm publishing

geropl · ona-agent · geropl · commit 08efb23c2675 · 2026-01-07T10:32:24.000Z
Use npm publish with --provenance flag when OIDC is available (GitHub
Actions with id-token permission). This allows publishing without
NPM_AUTH_TOKEN by using GitHub's OIDC token.

Falls back to yarn publish with token-based auth when OIDC is not
available for backward compatibility.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/components/gitpod-protocol/scripts/publish.js b/components/gitpod-protocol/scripts/publish.js
@@ -19,14 +19,19 @@ if (process.env.DO_PUBLISH === "false") {
     process.exit(0);
 }
 
-if (process.env.NPM_AUTH_TOKEN) {
+// Check if we should use OIDC (GitHub Actions with id-token permission)
+const useOIDC = process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+
+if (useOIDC) {
+    console.log("Using npm OIDC authentication (provenance)");
+} else if (process.env.NPM_AUTH_TOKEN) {
     fs.writeFileSync(
         path.join(pckDir, ".npmrc"),
         `//registry.npmjs.org/:_authToken=${process.env.NPM_AUTH_TOKEN}\n`,
         "utf-8",
     );
 } else {
-    console.warn("NPM_AUTH_TOKEN env variable is not set");
+    console.warn("NPM_AUTH_TOKEN env variable is not set and OIDC is not available");
 }
 
 const pck = JSON.parse(fs.readFileSync(path.join(pckDir, "package.json"), "utf-8"));
@@ -35,19 +40,37 @@ fs.writeFileSync(path.join(pckDir, "package.json"), JSON.stringify(pck, undefine
 
 const tag = qualifier.substr(0, qualifier.lastIndexOf("."));
 
-child_process.execSync(
-    [
-        "yarn",
-        "--cwd",
-        pckDir,
-        "publish",
-        "--tag",
-        tag,
-        "--access",
-        "public",
-        "--ignore-scripts",
-        "--network-timeout",
-        "300000",
-    ].join(" "),
-    { stdio: "inherit" },
-);
+if (useOIDC) {
+    // Use npm with provenance for OIDC
+    child_process.execSync(
+        [
+            "npm",
+            "publish",
+            "--tag",
+            tag,
+            "--access",
+            "public",
+            "--provenance",
+            "--ignore-scripts",
+        ].join(" "),
+        { stdio: "inherit", cwd: pckDir },
+    );
+} else {
+    // Fall back to yarn for token-based auth
+    child_process.execSync(
+        [
+            "yarn",
+            "--cwd",
+            pckDir,
+            "publish",
+            "--tag",
+            tag,
+            "--access",
+            "public",
+            "--ignore-scripts",
+            "--network-timeout",
+            "300000",
+        ].join(" "),
+        { stdio: "inherit" },
+    );
+}
