Background
PR #159 enabled npm provenance attestations. Provenance requires a Granular Access Token — classic tokens do not support provenance and are being deprecated by npm.
Using a classic token would silently break provenance: the publish would succeed, but no attestation would be generated. The package would be published without the security guarantees that provenance provides.
Goal
Verify that the npm token used in the NPM_TOKEN GitHub secret is a Granular Access Token scoped specifically to @idempot-dev, not a Classic token.
When to do this
Before the next release. If the token is classic, the next release will publish packages without provenance. This is a silent failure — the publish succeeds but the security feature is absent.
Verification steps
Step 1: Check token type in npm UI
- Log in to https://www.npmjs.com/ with the account that owns the
@idempot-dev organization
- Go to Access Tokens (click your profile → Access Tokens)
- Look for the token used by the
NPM_TOKEN GitHub secret
- Verify it says "Granular Access Token" (not "Classic Token")
Step 2: Verify token scope
The token should be scoped to:
- Packages:
@idempot-dev/*
- Permissions: Publish
- Organizations:
idempot-dev
It should NOT be a "Read and publish" token for your personal account — that would be a classic token.
Step 3: Verify token is active and not expired
Granular tokens have expiration dates. Check that the token is still active and not approaching expiry.
If the token is classic
Action required
-
Create a new Granular Access Token:
- Go to npm → Access Tokens → Generate New Token → Granular Access Token
- Name:
idempot-js-release-provenance
- Packages:
@idempot-dev/*
- Permissions: Publish
- Expiration: Set a reasonable expiry (e.g., 1 year) with a calendar reminder
-
Update the GitHub secret:
-
Test the token:
- The only way to fully test is through the release workflow
- Consider a test publish to a private/unpublished package or a dry-run
Why this matters
| Token type |
Provenance support |
Deprecation status |
Security |
| Classic |
❌ No |
Being deprecated by npm |
Lower (full account access) |
| Granular |
✅ Yes |
Current standard |
Higher (scoped to specific packages) |
Related
Background
PR #159 enabled npm provenance attestations. Provenance requires a Granular Access Token — classic tokens do not support provenance and are being deprecated by npm.
Using a classic token would silently break provenance: the publish would succeed, but no attestation would be generated. The package would be published without the security guarantees that provenance provides.
Goal
Verify that the npm token used in the
NPM_TOKENGitHub secret is a Granular Access Token scoped specifically to@idempot-dev, not a Classic token.When to do this
Before the next release. If the token is classic, the next release will publish packages without provenance. This is a silent failure — the publish succeeds but the security feature is absent.
Verification steps
Step 1: Check token type in npm UI
@idempot-devorganizationNPM_TOKENGitHub secretStep 2: Verify token scope
The token should be scoped to:
@idempot-dev/*idempot-devIt should NOT be a "Read and publish" token for your personal account — that would be a classic token.
Step 3: Verify token is active and not expired
Granular tokens have expiration dates. Check that the token is still active and not approaching expiry.
If the token is classic
Action required
Create a new Granular Access Token:
idempot-js-release-provenance@idempot-dev/*Update the GitHub secret:
NPM_TOKENwith the new token valueTest the token:
Why this matters
Related