Skip to content

Drop access token in favor of OICD to authenticate against npm (#685) #686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bedrich-schindler merged 1 commit into from
Dec 23, 2025
Merged

Drop access token in favor of OICD to authenticate against npm (#685) #686

bedrich-schindler merged 1 commit into from
Dec 23, 2025
+4 −2

Conversation

@bedrich-schindler
Copy link
Contributor

@bedrich-schindler bedrich-schindler commented Dec 20, 2025

This requires to add thrust published on npmjs.com before running publish_package_to_npm job. NPM_PUBLISH_TOKEN secret can be then removed from repository settings.

Closes #685

@bedrich-schindler
Drop access token in favor of OICD to authenticate against npm (#685)
04148f0 
This requires to add thrust published on npmjs.com before running
`publish_package_to_npm` job. `NPM_PUBLISH_TOKEN` secret can be
then removed from repository settings.
Copilot AI reviewed Dec 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR transitions npm publishing authentication from using a secret access token (NPM_PUBLISH_TOKEN) to OpenID Connect (OIDC) for more secure authentication. This change requires configuring trust between the GitHub Actions workflow and npmjs.com before running the publish job.

Key changes:

  • Added workflow-level permissions for OIDC (id-token: write and contents: read)
  • Removed the NODE_AUTH_TOKEN environment variable and its reference to NPM_PUBLISH_TOKEN secret from the npm publish step

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bedrich-schindler
Copy link
Contributor Author

bedrich-schindler commented Dec 20, 2025

image

I already set Trusted Provider ...

@bedrich-schindler bedrich-schindler merged commit fce2ee6 into master Dec 23, 2025
18 checks passed
@bedrich-schindler bedrich-schindler deleted the maintenance/685 branch December 23, 2025 11:00
@bedrich-schindler
Copy link
Contributor Author

bedrich-schindler commented Dec 23, 2025

NPM_PUBLISH_TOKEN removed from settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbohal mbohal mbohal approved these changes

@adamkudrna adamkudrna adamkudrna approved these changes

Assignees

@bedrich-schindler bedrich-schindler

Labels

maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate npm publishing from access tokens to OICD

4 participants

@bedrich-schindler @mbohal @adamkudrna