[npm] Switch to npm publish with OIDC support

geropl · ona-agent · geropl · commit 8337d9f3107a · 2026-01-07T15:12:56.000Z
Switch from yarn to npm for package publishing to support OIDC authentication.
Yarn v1 does not support OIDC, while npm 11.5.1+ does.

Changes:
- Update publish.js to use npm publish instead of yarn publish
- Always use --provenance flag (works with both OIDC and token auth)
- npm automatically detects and uses OIDC when available in GitHub Actions
- Falls back to token-based auth when NPM_AUTH_TOKEN is set
- Update devcontainer to install npm 11.5.1 (minimum version for OIDC)

When running in GitHub Actions with id-token: write permission, npm will
automatically use OIDC without requiring NPM_AUTH_TOKEN.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -327,14 +327,16 @@ RUN useradd -m -s /bin/bash gitpod && \
 ENV GRADLE_USER_HOME=/workspace/.gradle/
 
 ENV NODE_VERSION=22.17.0
+ENV NPM_VERSION=11.5.1
 
 ENV PNPM_HOME=/root/.pnpm
 ENV PATH=/root/.nvm/versions/node/v${NODE_VERSION}/bin:/root/.yarn/bin:${PNPM_HOME}:$PATH
 ENV HOME=/root
 RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
     && bash -c ". $HOME/.nvm/nvm.sh \
     && nvm install v${NODE_VERSION} \
-    && nvm alias default v${NODE_VERSION}"
+    && nvm alias default v${NODE_VERSION} \
+    && npm install -g npm@${NPM_VERSION}"
 
 # Disable npx (security hardening - prevents arbitrary package execution)
 # Remove npx from NVM and replace with stub that prints warning
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 Gitpod Classic is a developer platform providing on-demand, pre-configured development environments in the cloud. It allows developers to spin up secure workspaces with a simple .gitpod.yml configuration file, eliminating the need for manual environment setup. The platform integrates seamlessly with GitHub, GitLab, Bitbucket, and Azure DevOps, offering features like prebuilt environments, collaborative code reviews, and professional developer experience with VS Code extensions and customization options. Workspaces are ephemeral, secure, and based on Docker, providing developers with the same capabilities as their local Linux machines but in a consistent, reproducible cloud environment.
 
-> **Important: [Gitpod Classic pay-as-you-go will sunset on October 15th](https://ona.com/stories/gitpod-classic-payg-sunset)** 2025 (this date does not apply to Enterprise customers). All existing pay-as-you-go users should migrate to Ona before this date. See our blog for detailed instructions.
+> **Important: [Gitpod Classic pay-as-you-go did sunset on October 15th](https://ona.com/stories/gitpod-classic-payg-sunset)** 2025. See our blog for detailed instructions.
 
 ## Documentation
 
diff --git a/components/gitpod-protocol/scripts/publish.js b/components/gitpod-protocol/scripts/publish.js
@@ -19,14 +19,17 @@ if (process.env.DO_PUBLISH === "false") {
     process.exit(0);
 }
 
+// Configure npm authentication
+// When OIDC is available (GitHub Actions with id-token permission), npm will automatically
+// use it for authentication. Otherwise, fall back to token-based auth.
 if (process.env.NPM_AUTH_TOKEN) {
     fs.writeFileSync(
         path.join(pckDir, ".npmrc"),
         `//registry.npmjs.org/:_authToken=${process.env.NPM_AUTH_TOKEN}\n`,
         "utf-8",
     );
 } else {
-    console.warn("NPM_AUTH_TOKEN env variable is not set");
+    console.log("NPM_AUTH_TOKEN not set - will attempt OIDC authentication if available");
 }
 
 const pck = JSON.parse(fs.readFileSync(path.join(pckDir, "package.json"), "utf-8"));
@@ -35,19 +38,19 @@ fs.writeFileSync(path.join(pckDir, "package.json"), JSON.stringify(pck, undefine
 
 const tag = qualifier.substr(0, qualifier.lastIndexOf("."));
 
+// Use npm publish (supports both OIDC and token-based auth)
+// npm will automatically use OIDC when running in GitHub Actions with id-token permission
+// Requires npm CLI version 11.5.1 or later for OIDC support
 child_process.execSync(
     [
-        "yarn",
-        "--cwd",
-        pckDir,
+        "npm",
         "publish",
         "--tag",
         tag,
         "--access",
         "public",
+        "--provenance",
         "--ignore-scripts",
-        "--network-timeout",
-        "300000",
     ].join(" "),
-    { stdio: "inherit" },
+    { stdio: "inherit", cwd: pckDir },
 );
