Skip to content

Commit 8337d9f

Browse files
geroplona-agent
andcommitted
[npm] Switch to npm publish with OIDC support
Switch from yarn to npm for package publishing to support OIDC authentication. Yarn v1 does not support OIDC, while npm 11.5.1+ does. Changes: - Update publish.js to use npm publish instead of yarn publish - Always use --provenance flag (works with both OIDC and token auth) - npm automatically detects and uses OIDC when available in GitHub Actions - Falls back to token-based auth when NPM_AUTH_TOKEN is set - Update devcontainer to install npm 11.5.1 (minimum version for OIDC) When running in GitHub Actions with id-token: write permission, npm will automatically use OIDC without requiring NPM_AUTH_TOKEN. Co-authored-by: Ona <no-reply@ona.com>
1 parent ad15590 commit 8337d9f

File tree

3 files changed

+14
-9
lines changed

3 files changed

+14
-9
lines changed

.devcontainer/Dockerfile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -327,14 +327,16 @@ RUN useradd -m -s /bin/bash gitpod && \
327327
ENV GRADLE_USER_HOME=/workspace/.gradle/
328328

329329
ENV NODE_VERSION=22.17.0
330+
ENV NPM_VERSION=11.5.1
330331

331332
ENV PNPM_HOME=/root/.pnpm
332333
ENV PATH=/root/.nvm/versions/node/v${NODE_VERSION}/bin:/root/.yarn/bin:${PNPM_HOME}:$PATH
333334
ENV HOME=/root
334335
RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
335336
&& bash -c ". $HOME/.nvm/nvm.sh \
336337
&& nvm install v${NODE_VERSION} \
337-
&& nvm alias default v${NODE_VERSION}"
338+
&& nvm alias default v${NODE_VERSION} \
339+
&& npm install -g npm@${NPM_VERSION}"
338340

339341
# Disable npx (security hardening - prevents arbitrary package execution)
340342
# Remove npx from NVM and replace with stub that prints warning

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66

77
Gitpod Classic is a developer platform providing on-demand, pre-configured development environments in the cloud. It allows developers to spin up secure workspaces with a simple .gitpod.yml configuration file, eliminating the need for manual environment setup. The platform integrates seamlessly with GitHub, GitLab, Bitbucket, and Azure DevOps, offering features like prebuilt environments, collaborative code reviews, and professional developer experience with VS Code extensions and customization options. Workspaces are ephemeral, secure, and based on Docker, providing developers with the same capabilities as their local Linux machines but in a consistent, reproducible cloud environment.
88

9-
> **Important: [Gitpod Classic pay-as-you-go will sunset on October 15th](https://ona.com/stories/gitpod-classic-payg-sunset)** 2025 (this date does not apply to Enterprise customers). All existing pay-as-you-go users should migrate to Ona before this date. See our blog for detailed instructions.
9+
> **Important: [Gitpod Classic pay-as-you-go did sunset on October 15th](https://ona.com/stories/gitpod-classic-payg-sunset)** 2025. See our blog for detailed instructions.
1010
1111
## Documentation
1212

components/gitpod-protocol/scripts/publish.js

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,17 @@ if (process.env.DO_PUBLISH === "false") {
1919
process.exit(0);
2020
}
2121

22+
// Configure npm authentication
23+
// When OIDC is available (GitHub Actions with id-token permission), npm will automatically
24+
// use it for authentication. Otherwise, fall back to token-based auth.
2225
if (process.env.NPM_AUTH_TOKEN) {
2326
fs.writeFileSync(
2427
path.join(pckDir, ".npmrc"),
2528
`//registry.npmjs.org/:_authToken=${process.env.NPM_AUTH_TOKEN}\n`,
2629
"utf-8",
2730
);
2831
} else {
29-
console.warn("NPM_AUTH_TOKEN env variable is not set");
32+
console.log("NPM_AUTH_TOKEN not set - will attempt OIDC authentication if available");
3033
}
3134

3235
const pck = JSON.parse(fs.readFileSync(path.join(pckDir, "package.json"), "utf-8"));
@@ -35,19 +38,19 @@ fs.writeFileSync(path.join(pckDir, "package.json"), JSON.stringify(pck, undefine
3538

3639
const tag = qualifier.substr(0, qualifier.lastIndexOf("."));
3740

41+
// Use npm publish (supports both OIDC and token-based auth)
42+
// npm will automatically use OIDC when running in GitHub Actions with id-token permission
43+
// Requires npm CLI version 11.5.1 or later for OIDC support
3844
child_process.execSync(
3945
[
40-
"yarn",
41-
"--cwd",
42-
pckDir,
46+
"npm",
4347
"publish",
4448
"--tag",
4549
tag,
4650
"--access",
4751
"public",
52+
"--provenance",
4853
"--ignore-scripts",
49-
"--network-timeout",
50-
"300000",
5154
].join(" "),
52-
{ stdio: "inherit" },
55+
{ stdio: "inherit", cwd: pckDir },
5356
);

0 commit comments

Comments
 (0)