Skip to content

Update npm publishing to use OIDC authentication #582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update npm publishing to use OIDC authentication #582

wants to merge 1 commit into from

Conversation

@fern-support
Copy link
Contributor

Summary

This PR updates the CI workflow to use OIDC (OpenID Connect) authentication for npmjs publishing instead of static authentication tokens.

Starting in mid-November 2025, npm is deprecating long-lived authentication tokens. This migration is required to continue publishing packages from GitHub Actions.

📖 For detailed migration instructions, see: Migrating from Token-based to OIDC Publishing

Changes Made

  • Added 'permissions: id-token: write' to publish job
  • Removed NPM_TOKEN from environment variables in publish job
  • Removed 'npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}' command
  • Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function
  • Removed the 'env:' section from the publish job

⚠️ Required: Configure Trusted Publishing on npm

Before merging this PR, you must configure your package as a trusted publisher on npmjs.com:

  1. Go to your package settings on npmjs.com
  2. Find the "Publishing access" section and click "Configure trusted publisher"
  3. Select "GitHub Actions" as your provider
  4. Fill in the following details:
    • Organization or user: HumeAI
    • Repository: hume-typescript-sdk
    • Workflow filename: ci.yml
    • Environment name: Leave blank (unless you use GitHub environments)

📖 Detailed instructions: npm Trusted Publisher Setup

Testing Checklist

After merging this PR and configuring trusted publishing:

  • Trigger a test publish by creating an alpha release tag (e.g., v1.0.0-alpha1)
  • Verify the GitHub Actions workflow succeeds
  • Check that the package appears on npmjs.com
  • Verify provenance badge appears on the package page (may take a few minutes)
  • Remove the NPM_TOKEN secret from repository settings once verified

Note on testing: If the version in package.json has already been published, you may see an error like:

npm error You cannot publish over the previously published versions: 0.0.28.

This is actually a good sign! It means OIDC authentication is working correctly - npm successfully authenticated your workflow and only rejected the publish because the version already exists. You can verify this worked by checking that:

  1. The workflow didn't fail with an authentication error
  2. The error message is specifically about the version being published before
  3. You can see the workflow run had proper OIDC token permissions

Troubleshooting

If you encounter issues after merging:

"Unable to authenticate" error

  • Verify the workflow filename in npm settings matches exactly (including .yml extension)
  • Ensure trusted publisher configuration matches your repository details
  • Confirm you're not using self-hosted runners (not currently supported)
  • Check that permissions: id-token: write is present in the publish job

Note: This PR was automatically generated using AI-powered workflow analysis to ensure compatibility with your existing CI setup.

@fern-support
chore: update npm publishing to use OIDC authentication
28f2617 
This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices.

Changes:
- Added 'permissions: id-token: write' to publish job
- Removed NPM_TOKEN from environment variables in publish job
- Removed 'npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}' command
- Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function
- Removed the 'env:' section from the publish job
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fern-support