Skip to content

Commit d29d674

Browse files
pRizzclaude
andcommitted
ci: migrate npm publishing from OIDC to NPM_TOKEN secret
OIDC trusted publishing is having issues, so switch to token-based auth. Each publish step now uses NODE_AUTH_TOKEN from secrets.NPM_TOKEN. Removed id-token permission, OIDC verification step, and --provenance flags. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 7f4acd3 commit d29d674

2 files changed

Lines changed: 29 additions & 30 deletions

File tree

.github/workflows/publish-npm.yml

Lines changed: 29 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
name: Publish to npm
22

3-
# We intentionally use npm publish (not bun publish) for releases because npm currently
4-
# provides the trusted publishing OIDC + provenance path used by this workflow.
3+
# We intentionally use npm publish (not bun publish) for releases because npm handles
4+
# workspace-aware publishing and registry auth reliably.
55
# Bun remains the package manager/build tool in this repo; npm is used only for final
6-
# registry publication security guarantees.
6+
# registry publication.
77

88
on:
99
workflow_call:
@@ -31,7 +31,6 @@ jobs:
3131
needs: [build-binaries]
3232
permissions:
3333
contents: read
34-
id-token: write # Required so npm can verify GitHub OIDC identity and issue provenance attestations.
3534
steps:
3635
- uses: actions/checkout@v6
3736
with:
@@ -135,52 +134,53 @@ jobs:
135134
packages/cli-node-linux-arm64-musl \
136135
packages/core \
137136
packages/cli-node; do
138-
echo "Dry-run publishing ${pkg} with npm provenance"
139-
npm publish --workspace "${pkg}" --dry-run --access public --provenance >/dev/null
137+
echo "Dry-run publishing ${pkg}"
138+
npm publish --workspace "${pkg}" --dry-run --access public >/dev/null
140139
done
141140
142141
- name: Build Node packages
143142
run: |
144143
bun run --cwd packages/cli-node build
145144
146-
- name: Verify OIDC environment for npm trusted publishing
147-
run: |
148-
set -euo pipefail
149-
150-
if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then
151-
echo "Error: GitHub OIDC token environment is unavailable."
152-
echo "Ensure this job has permissions.id-token=write and runs on a GitHub-hosted runner."
153-
exit 1
154-
fi
155-
156-
echo "OIDC environment detected for npm trusted publishing."
157-
158-
# Use npm publish with --provenance so npm can generate attestations from this
159-
# workflow's OIDC identity. With trusted publishing, npm uses OIDC for auth.
160-
# --provenance preserves explicit attestation intent for this release path.
161145
- name: Publish @opencode-cloud/cli-node-darwin-arm64
162-
run: npm publish --workspace packages/cli-node-darwin-arm64 --access public --provenance
146+
run: npm publish --workspace packages/cli-node-darwin-arm64 --access public
147+
env:
148+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
163149

164150
- name: Publish @opencode-cloud/cli-node-darwin-x64
165-
run: npm publish --workspace packages/cli-node-darwin-x64 --access public --provenance
151+
run: npm publish --workspace packages/cli-node-darwin-x64 --access public
152+
env:
153+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
166154

167155
- name: Publish @opencode-cloud/cli-node-linux-x64
168-
run: npm publish --workspace packages/cli-node-linux-x64 --access public --provenance
156+
run: npm publish --workspace packages/cli-node-linux-x64 --access public
157+
env:
158+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
169159

170160
- name: Publish @opencode-cloud/cli-node-linux-arm64
171-
run: npm publish --workspace packages/cli-node-linux-arm64 --access public --provenance
161+
run: npm publish --workspace packages/cli-node-linux-arm64 --access public
162+
env:
163+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
172164

173165
- name: Publish @opencode-cloud/cli-node-linux-x64-musl
174-
run: npm publish --workspace packages/cli-node-linux-x64-musl --access public --provenance
166+
run: npm publish --workspace packages/cli-node-linux-x64-musl --access public
167+
env:
168+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
175169

176170
- name: Publish @opencode-cloud/cli-node-linux-arm64-musl
177-
run: npm publish --workspace packages/cli-node-linux-arm64-musl --access public --provenance
171+
run: npm publish --workspace packages/cli-node-linux-arm64-musl --access public
172+
env:
173+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
178174

179175
- name: Publish @opencode-cloud/core
180-
run: npm publish --workspace packages/core --access public --provenance
176+
run: npm publish --workspace packages/core --access public
177+
env:
178+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
181179

182180
- name: Publish opencode-cloud
183-
run: npm publish --workspace packages/cli-node --access public --provenance
181+
run: npm publish --workspace packages/cli-node --access public
182+
env:
183+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
184184

185185
- name: Summary
186186
run: |

.github/workflows/version-bump.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@ concurrency:
2121
permissions:
2222
contents: write # Required for pushing commits and tags
2323
packages: write # Required for GHCR push (docker-publish)
24-
id-token: write # Required for npm provenance (publish-npm)
2524

2625
jobs:
2726
bump-version:

0 commit comments

Comments
 (0)