[npm] Add OIDC support for npm publishing

geropl · ona-agent · geropl · commit 649644691248 · 2026-01-07T10:51:15.000Z
Use npm publish with --provenance flag when OIDC is available (GitHub
Actions with id-token permission). This allows publishing without
NPM_AUTH_TOKEN by using GitHub's OIDC token.

Falls back to yarn publish with token-based auth when OIDC is not
available for backward compatibility.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/components/gitpod-protocol/scripts/publish.js b/components/gitpod-protocol/scripts/publish.js
@@ -19,14 +19,19 @@ if (process.env.DO_PUBLISH === "false") {
     process.exit(0);
 }
 
-if (process.env.NPM_AUTH_TOKEN) {
+// Check if we should use OIDC (GitHub Actions with id-token permission)
+const useOIDC = process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+
+if (useOIDC) {
+    console.log("Using npm OIDC authentication (provenance)");
+} else if (process.env.NPM_AUTH_TOKEN) {
     fs.writeFileSync(
         path.join(pckDir, ".npmrc"),
         `//registry.npmjs.org/:_authToken=${process.env.NPM_AUTH_TOKEN}\n`,
         "utf-8",
     );
 } else {
-    console.warn("NPM_AUTH_TOKEN env variable is not set");
+    console.warn("NPM_AUTH_TOKEN env variable is not set and OIDC is not available");
 }
 
 const pck = JSON.parse(fs.readFileSync(path.join(pckDir, "package.json"), "utf-8"));
@@ -35,19 +40,32 @@ fs.writeFileSync(path.join(pckDir, "package.json"), JSON.stringify(pck, undefine
 
 const tag = qualifier.substr(0, qualifier.lastIndexOf("."));
 
-child_process.execSync(
-    [
-        "yarn",
-        "--cwd",
-        pckDir,
-        "publish",
-        "--tag",
-        tag,
-        "--access",
-        "public",
-        "--ignore-scripts",
-        "--network-timeout",
-        "300000",
-    ].join(" "),
-    { stdio: "inherit" },
-);
+// Build publish command arguments
+const publishArgs = useOIDC
+    ? [
+          "npm",
+          "publish",
+          "--tag",
+          tag,
+          "--access",
+          "public",
+          "--provenance",
+          "--ignore-scripts",
+      ]
+    : [
+          "yarn",
+          "--cwd",
+          pckDir,
+          "publish",
+          "--tag",
+          tag,
+          "--access",
+          "public",
+          "--ignore-scripts",
+          "--network-timeout",
+          "300000",
+      ];
+
+const execOptions = useOIDC ? { stdio: "inherit", cwd: pckDir } : { stdio: "inherit" };
+
+child_process.execSync(publishArgs.join(" "), execOptions);
