ci: switch to npm trusted publishing (OIDC)#36
Conversation
- Add id-token: write permission for OIDC - Add registry-url to setup-node - Switch from yarn npm publish to npm publish --provenance - Remove NPM_AUTH_TOKEN dependency - Bump actions/checkout and actions/setup-node to v4
📝 WalkthroughWalkthroughDeleted the dedicated beta publish workflow and updated the main snap deployment workflow to accept a required release channel input (production|beta), upgrade action versions, configure the npm registry, and conditionally publish/releases with beta tagging and prerelease support. Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer (push/PR)
participant GH as GitHub Actions Workflow (deploy-snap.yml)
participant Runner as Actions Runner
participant Registry as npm Registry
participant Release as GitHub Release (softprops/action-gh-release)
Dev->>GH: push / workflow_dispatch (channel)
GH->>Runner: start job (checkout, setup-node, install, build)
Runner->>Release: create GitHub Release (prerelease? channel==beta)
Runner->>Registry: publish package (--tag beta if channel==beta)
Registry-->>Runner: publish result
Release-->>GH: release created
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Combines deploy-snap.yml and deploy-snap-beta.yml into one workflow with a "channel" dropdown (production/beta). Only one workflow filename needed for npm trusted publishing config.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/deploy-snap.yml (1)
62-62:⚠️ Potential issue | 🟡 MinorUpgrade
softprops/action-gh-releaseto v2 or later.This action currently uses v1, which targets the deprecated Node.js 16 GitHub Actions runtime. v2 targets Node.js 20 and has been stable since March 2024 (latest: v2.5.0). GitHub deprecated the Node.js 16 runtime with a June 30, 2024 sunset date.
Suggested fix
- uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2
🤖 Fix all issues with AI agents
In @.github/workflows/deploy-snap.yml:
- Around line 71-78: The "Publish to npm" workflow step uses Node 20 (npm
v10.8.2) which doesn't support OIDC trusted publishing; either set a
NODE_AUTH_TOKEN secret for traditional token-based auth or upgrade the
setup-node action to Node 24+ so npm v11.5.1+ can use OIDC. Fix by updating the
workflow's setup-node `node-version` to 24 (or later) so the `npm publish`
commands (the block using inputs.channel and npm publish --provenance ...) run
with an npm that supports OIDC, or keep Node 20 but add an env entry exporting
NODE_AUTH_TOKEN from a GitHub secret and ensure the publish step uses that token
for authentication.
🧹 Nitpick comments (1)
.github/workflows/deploy-snap.yml (1)
47-51: Beta channel publishes a regular patch version under thebetadist-tag.The version patch step (Line 49) bumps to a standard semver (e.g.,
1.0.1) regardless of channel. For beta releases, it's conventional to use a prerelease identifier (e.g.,1.0.1-beta.0) so that the version itself signals its pre-release nature. Currently, a user who pins a specific version won't know it was a beta.This is how the deleted
deploy-snap-beta.ymllikely handled it too, so if this is intentional, feel free to disregard.Suggested approach for beta prerelease versioning
- name: Patch version run: | - yarn workspace genlayer-wallet-plugin version patch + if [ "${{ inputs.channel }}" = "beta" ]; then + yarn workspace genlayer-wallet-plugin version prerelease --preid beta + else + yarn workspace genlayer-wallet-plugin version patch + fi VERSION=$(jq -r ".version" "packages/snap/package.json") echo "VERSION=$VERSION" >> "$GITHUB_ENV"Also applies to: 71-78
| - name: Publish to npm | ||
| env: | ||
| YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} | ||
| run: yarn workspace genlayer-wallet-plugin npm publish --access public | ||
| working-directory: packages/snap | ||
| run: | | ||
| if [ "${{ inputs.channel }}" = "beta" ]; then | ||
| npm publish --provenance --tag beta --access public | ||
| else | ||
| npm publish --provenance --access public | ||
| fi |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
npm oidc trusted publishing GitHub Actions 2025
💡 Result:
npm OIDC “Trusted Publishing” for GitHub Actions (status + setup, as of 2025)
- What it is: A way to publish to npm from GitHub Actions without storing long‑lived npm tokens, by exchanging a GitHub Actions OIDC ID token for a short‑lived npm publish token. It’s generally available as of July 31, 2025. [2]
- Requirements / key behaviors:
- Requires npm CLI v11.5.1+. [1], [2]
- Your workflow/job must request an OIDC token via
permissions: id-token: write(and typicallycontents: read). [1], [3] - Works on GitHub-hosted runners (self-hosted runner support noted as a future improvement). [1]
- When using trusted publishing, npm CLI publishes provenance attestations by default (no need to pass
--provenance). [2]
Setup (high level)
- On npmjs.com (per package): Add a Trusted Publisher → GitHub Actions, specifying owner/org, repo, workflow filename, and optionally an environment name. [2], [1]
- In GitHub Actions workflow: Ensure OIDC permissions are granted:
permissions:
contents: read
id-token: writeThis id-token: write permission is required for GitHub to mint the OIDC JWT your job will use. [3], [1]
Sources: npm docs on trusted publishers [1], GitHub changelog announcement (GA, provenance defaults) [2], GitHub Actions OIDC permissions docs [3].
🌐 Web query:
setup-node registry-url oidc authentication
💡 Result:
To use OIDC authentication with actions/setup-node (i.e., publish to npm without NODE_AUTH_TOKEN), you need npm “Trusted Publishing” plus the GitHub OIDC token permission.
1) Configure npm “Trusted Publisher”
In npmjs.com → your package → Settings → Trusted Publisher → GitHub Actions, register:
- owner/org, repo, and workflow filename (optionally an environment). (docs.npmjs.com)
2) GitHub Actions workflow (OIDC publish)
name: Publish
on:
push:
tags: ['v*']
permissions:
contents: read
id-token: write # required for OIDC
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- run: npm publish --provenanceKey points:
permissions: id-token: writeis the critical requirement for OIDC. (docs.npmjs.com)setup-node’sregistry-urlconfigures the registry and expects auth viaNODE_AUTH_TOKENfor classic token flows, but with Trusted Publishing, npm can authenticate the publish via OIDC (no secret needed). (github.com)
3) When you still need NODE_AUTH_TOKEN
If your workflow must install private npm dependencies, you still need a (read-only) token for npm ci; OIDC is “publish-only”. (docs.npmjs.com)
Note (semantic-release)
If you publish via semantic-release, their docs warn that setting registry-url in setup-node can conflict with semantic-release’s auth handling (they recommend omitting it). (semantic-release.gitbook.io)
Citations:
- 1: https://docs.npmjs.com/trusted-publishers?utm_source=openai
- 2: https://docs.npmjs.com/trusted-publishers?utm_source=openai
- 3: https://github.com/actions/setup-node?utm_source=openai
- 4: https://docs.npmjs.com/trusted-publishers?utm_source=openai
- 5: https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions?utm_source=openai
🌐 Web query:
npm cli oidc trusted publishing NODE_AUTH_TOKEN required
💡 Result:
With npm Trusted Publishing (OIDC), NODE_AUTH_TOKEN is not required for npm publish.
- The npm CLI (npm ≥ 11.5.1) will detect an OIDC environment and use it for publish auth, falling back to traditional tokens only if OIDC isn’t available. So a token env var is only needed when you’re not actually publishing via OIDC. [1]
- GitHub Actions requirement: your workflow must grant
id-token: writeso GitHub can mint the OIDC token. [1] - When
NODE_AUTH_TOKENis needed: if your workflow must install private npm dependencies (e.g., duringnpm ci), you still need traditional auth for install, and npm recommends a read-only token viaNODE_AUTH_TOKENfor that step. [1] - Many token-based examples (and
actions/setup-node) useNODE_AUTH_TOKENbecause they’re writing an.npmrcthat references it—this is the classic/granular token path, not OIDC. [2]
If you’re seeing an error like “NODE_AUTH_TOKEN required” during publish, the usual causes are: you’re not on npm ≥ 11.5.1, you haven’t configured the package’s Trusted Publisher on npm, or your CI isn’t providing OIDC (id-token: write). [1]
Sources: npm Trusted Publishing docs [1]; GitHub “Publishing Node.js packages” docs (token-based .npmrc/NODE_AUTH_TOKEN) [2].
🏁 Script executed:
cat -n .github/workflows/deploy-snap.yml | head -80Repository: genlayerlabs/genlayer-wallet
Length of output: 2855
🏁 Script executed:
grep -A 10 "permissions:" .github/workflows/deploy-snap.ymlRepository: genlayerlabs/genlayer-wallet
Length of output: 290
🌐 Web query:
Node.js 20 npm version bundled included
💡 Result:
Node.js 20 bundles npm, but the exact npm version depends on the specific Node 20 release:
- Node.js v20.0.0 shipped with npm v9.6.4. [3]
- The latest Node.js 20 line (e.g., v20.20.0, updated Jan 12, 2026) bundles npm v10.8.2. [1][2]
To confirm on your machine: npm -v (or node -p "process.versions.npm").
🌐 Web query:
Node.js version npm 11.5.1 bundled which version
💡 Result:
npm 11.5.1 is bundled with Node.js v24.5.0. [1]
Sources: Node.js download archive for v24.5.0 (shows “npm version v11.5.1”). [1]
[1] (nodejs.org)
Citations:
Node 20's npm version (v10.8.2) does not support OIDC trusted publishing—either add NODE_AUTH_TOKEN or upgrade to Node 24+.
npm OIDC trusted publishing (now GA) requires npm v11.5.1+, which is only bundled with Node.js v24.5.0 and later. The workflow uses Node 20, which bundles npm v10.8.2 (below the required version). This will cause authentication to fail during npm publish.
To fix: either set NODE_AUTH_TOKEN (via a GitHub secret) for traditional token-based authentication, or upgrade node-version to 24 or later.
🤖 Prompt for AI Agents
In @.github/workflows/deploy-snap.yml around lines 71 - 78, The "Publish to npm"
workflow step uses Node 20 (npm v10.8.2) which doesn't support OIDC trusted
publishing; either set a NODE_AUTH_TOKEN secret for traditional token-based auth
or upgrade the setup-node action to Node 24+ so npm v11.5.1+ can use OIDC. Fix
by updating the workflow's setup-node `node-version` to 24 (or later) so the
`npm publish` commands (the block using inputs.channel and npm publish
--provenance ...) run with an npm that supports OIDC, or keep Node 20 but add an
env entry exporting NODE_AUTH_TOKEN from a GitHub secret and ensure the publish
step uses that token for authentication.
1 participant
Summary
NPM_AUTH_TOKENto npm OIDC trusted publishing with provenanceid-token: writepermission for OIDC token exchangenpm publish --provenanceinstead ofyarn workspace ... npm publishTrusted publisher config needed on npmjs.com
Package:
genlayer-wallet-plugingenlayerlabsgenlayer-walletdeploy-snap.yml(anddeploy-snap-beta.yml)Test plan
genlayer-wallet-pluginDeploy Snap Productionworkflow manuallySummary by CodeRabbit