feat(plugin-npm): support OIDC auth for CircleCI#7075
Merged
Conversation
blimmer
force-pushed
the
circleci-oidc-support
branch
2 times, most recently
from
March 15, 2026 22:28
670a26b to
37a015d
Compare
blimmer
commented
Mar 15, 2026
| @@ -0,0 +1,3 @@ | |||
| releases: | |||
| "@yarnpkg/cli": minor | |||
| "@yarnpkg/plugin-npm": minor | |||
Contributor
Author
There was a problem hiding this comment.
This is my first time contributing, so please let me know if I'm missing anything here. I believe we only need to update the plugin and the CLI.
|
|
||
| if (process.env.GITLAB_CI) { | ||
| idToken = process.env.NPM_ID_TOKEN || null; | ||
| } else if (process.env.CIRCLECI) { |
Contributor
Author
There was a problem hiding this comment.
Here are the docs that this is set in all CircleCI jobs: https://circleci.com/docs/reference/variables/#built-in-environment-variables
blimmer
marked this pull request as ready for review
March 15, 2026 22:29
CircleCI was recently added as a supported npm trusted publisher provider. Like GitLab CI, it sets the NPM_ID_TOKEN environment variable. This adds detection of the CIRCLECI env var to enable OIDC token exchange during `yarn npm publish`. Closes yarnpkg#7074
blimmer
force-pushed
the
circleci-oidc-support
branch
from
March 15, 2026 22:35
37a015d to
55f5ad8
Compare
Contributor
Author
|
Hey @arcanis - we'd love to be able to switch from using static tokens to OIDC publishing. This is a pretty small change following the existing patterns. Any chance I could request a review on it? TYIA! |
arcanis
approved these changes
Mar 30, 2026
3 tasks
arcanis
pushed a commit
that referenced
this pull request
May 5, 2026
## What's the problem this PR addresses? `yarn npm publish` skips the OIDC code path on CircleCI, even though [#7075](#7075) was supposed to add CircleCI support. That PR updated `getOidcToken()` in `packages/plugin-npm/sources/npmHttpUtils.ts` to read `NPM_ID_TOKEN` when `process.env.CIRCLECI` is set, but the gating expression in `packages/plugin-npm-cli/sources/commands/npm/publish.ts` that decides whether to pass `allowOidc: true` to `npmHttpUtils.put` was not updated: ```ts allowOidc: Boolean(process.env.CI && (process.env.GITHUB_ACTIONS || process.env.GITLAB_CI)), ``` So on CircleCI, `allowOidc` is always `false`, `getOidcToken()` is never called, and the publish either fails (no other auth) or falls back to a long-lived token. This contradicts the stated intent of #7075 ("CircleCI was recently added as a supported npm trusted publisher provider, but Yarn's OIDC implementation only supports GitHub Actions and GitLab CI"). Reproduction: a CircleCI release pipeline that mints an OIDC token via `circleci run oidc get --claims '{"aud":"npm:registry.npmjs.org"}'`, exports it as `NPM_ID_TOKEN`, then runs `yarn npm publish` against a package configured for trusted publishing. Expected: yarn exchanges the id-token for a single-use publish token. Actual: yarn never attempts the exchange, because the `allowOidc` gate excludes CircleCI. Refs #7074, #7075. ## How did you fix it? Added `process.env.CIRCLECI` to the disjunction, mirroring the branch that #7075 already added in `getOidcToken()`: ```ts allowOidc: Boolean(process.env.CI && (process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.CIRCLECI)), ``` This keeps the gate consistent with the providers `getOidcToken()` actually handles, and matches the same one-line shape as the GitLab fix in [#6938](#6938). No new tests: the change is an additional disjunct in a Boolean gate; there were no tests covering the GitHub Actions or GitLab CI cases of this expression either, and #7075 / #6938 were merged without tests for the same reason. ## Checklist - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). - [x] I have set the packages that need to be released for my changes to be effective. - [x] I will check that all automated PR checks pass before the PR gets reviewed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's the problem this PR addresses?
CircleCI was recently added as a supported npm trusted publisher provider, but Yarn's OIDC implementation only supports GitHub Actions and GitLab CI.
The upstream npm CLI already supports CircleCI in
lib/utils/oidc.js(checkingciInfo.CIRCLE). Since Yarn's implementation was adapted from the npm CLI, it should be updated to match.Closes #7074.
How did you fix it?
Added detection of the
CIRCLECIenvironment variable ingetOidcToken(). Like GitLab CI, CircleCI sets theNPM_ID_TOKENenvironment variable, so the implementation follows the same pattern.Note: The upstream npm CLI notes that CircleCI doesn't support provenance yet, so the auto-provenance logic in #7017 / #7018 naturally skips CircleCI (no visibility env var to check).
Checklist