Skip to content

ci: switch to npm trusted publishing (OIDC) #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MuncleUscles merged 3 commits into from
Feb 10, 2026
Merged

ci: switch to npm trusted publishing (OIDC) #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
208907c
ci: switch to npm trusted publishing (OIDC provenance)
MuncleUscles Feb 10, 2026
a787d6f
ci: merge deploy workflows into single file with channel input
MuncleUscles Feb 10, 2026
5f14534
style: fix prettier formatting
MuncleUscles Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 0 additions & 62 deletions .github/workflows/deploy-snap-beta.yml
View file
Open in desktop

This file was deleted.

28 changes: 22 additions & 6 deletions .github/workflows/deploy-snap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,37 @@
name: Deploy Snap Production
name: Deploy Snap

on:
workflow_dispatch:
inputs:
channel:
description: 'Release channel'
required: true
default: 'production'
type: choice
options:
- production
- beta

jobs:
deploy:
name: Publish Snap to npm
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.ref_name }}

- name: Set up Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'

- name: Install dependencies
run: yarn workspaces focus genlayer-wallet-plugin
Expand Down Expand Up @@ -53,10 +64,15 @@ jobs:
tag_name: 'v${{ env.VERSION }}'
name: 'Release v${{ env.VERSION }}'
body: 'Automated release for version v${{ env.VERSION }}'
prerelease: ${{ inputs.channel == 'beta' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Publish to npm
env:
YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
run: yarn workspace genlayer-wallet-plugin npm publish --access public
working-directory: packages/snap
run: |
if [ "${{ inputs.channel }}" = "beta" ]; then
npm publish --provenance --tag beta --access public
else
npm publish --provenance --access public
fi
Comment on lines 71 to +78
Copy link

@coderabbitai coderabbitai bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

npm oidc trusted publishing GitHub Actions 2025

💡 Result:

npm OIDC “Trusted Publishing” for GitHub Actions (status + setup, as of 2025)

  • What it is: A way to publish to npm from GitHub Actions without storing long‑lived npm tokens, by exchanging a GitHub Actions OIDC ID token for a short‑lived npm publish token. It’s generally available as of July 31, 2025. [2]
  • Requirements / key behaviors:
    • Requires npm CLI v11.5.1+. [1], [2]
    • Your workflow/job must request an OIDC token via permissions: id-token: write (and typically contents: read). [1], [3]
    • Works on GitHub-hosted runners (self-hosted runner support noted as a future improvement). [1]
    • When using trusted publishing, npm CLI publishes provenance attestations by default (no need to pass --provenance). [2]

Setup (high level)

  1. On npmjs.com (per package): Add a Trusted Publisher → GitHub Actions, specifying owner/org, repo, workflow filename, and optionally an environment name. [2], [1]
  2. In GitHub Actions workflow: Ensure OIDC permissions are granted:
permissions:
  contents: read
  id-token: write

This id-token: write permission is required for GitHub to mint the OIDC JWT your job will use. [3], [1]

Sources: npm docs on trusted publishers [1], GitHub changelog announcement (GA, provenance defaults) [2], GitHub Actions OIDC permissions docs [3].

🌐 Web query:

setup-node registry-url oidc authentication

💡 Result:

To use OIDC authentication with actions/setup-node (i.e., publish to npm without NODE_AUTH_TOKEN), you need npm “Trusted Publishing” plus the GitHub OIDC token permission.

1) Configure npm “Trusted Publisher”

In npmjs.com → your package → Settings → Trusted Publisher → GitHub Actions, register:

  • owner/org, repo, and workflow filename (optionally an environment). (docs.npmjs.com)

2) GitHub Actions workflow (OIDC publish)

name: Publish

on:
  push:
    tags: ['v*']

permissions:
  contents: read
  id-token: write   # required for OIDC

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'

      - run: npm ci
      - run: npm publish --provenance

Key points:

  • permissions: id-token: write is the critical requirement for OIDC. (docs.npmjs.com)
  • setup-node’s registry-url configures the registry and expects auth via NODE_AUTH_TOKEN for classic token flows, but with Trusted Publishing, npm can authenticate the publish via OIDC (no secret needed). (github.com)

3) When you still need NODE_AUTH_TOKEN

If your workflow must install private npm dependencies, you still need a (read-only) token for npm ci; OIDC is “publish-only”. (docs.npmjs.com)

Note (semantic-release)

If you publish via semantic-release, their docs warn that setting registry-url in setup-node can conflict with semantic-release’s auth handling (they recommend omitting it). (semantic-release.gitbook.io)

Citations:

🌐 Web query:

npm cli oidc trusted publishing NODE_AUTH_TOKEN required

💡 Result:

With npm Trusted Publishing (OIDC), NODE_AUTH_TOKEN is not required for npm publish.

  • The npm CLI (npm ≥ 11.5.1) will detect an OIDC environment and use it for publish auth, falling back to traditional tokens only if OIDC isn’t available. So a token env var is only needed when you’re not actually publishing via OIDC. [1]
  • GitHub Actions requirement: your workflow must grant id-token: write so GitHub can mint the OIDC token. [1]
  • When NODE_AUTH_TOKEN is needed: if your workflow must install private npm dependencies (e.g., during npm ci), you still need traditional auth for install, and npm recommends a read-only token via NODE_AUTH_TOKEN for that step. [1]
  • Many token-based examples (and actions/setup-node) use NODE_AUTH_TOKEN because they’re writing an .npmrc that references it—this is the classic/granular token path, not OIDC. [2]

If you’re seeing an error like “NODE_AUTH_TOKEN required” during publish, the usual causes are: you’re not on npm ≥ 11.5.1, you haven’t configured the package’s Trusted Publisher on npm, or your CI isn’t providing OIDC (id-token: write). [1]

Sources: npm Trusted Publishing docs [1]; GitHub “Publishing Node.js packages” docs (token-based .npmrc/NODE_AUTH_TOKEN) [2].

🏁 Script executed:

cat -n .github/workflows/deploy-snap.yml | head -80

Repository: genlayerlabs/genlayer-wallet

Length of output: 2855

🏁 Script executed:

grep -A 10 "permissions:" .github/workflows/deploy-snap.yml

Repository: genlayerlabs/genlayer-wallet

Length of output: 290

🌐 Web query:

Node.js 20 npm version bundled included

💡 Result:

Node.js 20 bundles npm, but the exact npm version depends on the specific Node 20 release:

  • Node.js v20.0.0 shipped with npm v9.6.4. [3]
  • The latest Node.js 20 line (e.g., v20.20.0, updated Jan 12, 2026) bundles npm v10.8.2. [1][2]

To confirm on your machine: npm -v (or node -p "process.versions.npm").

🌐 Web query:

Node.js version npm 11.5.1 bundled which version

💡 Result:

npm 11.5.1 is bundled with Node.js v24.5.0. [1]

Sources: Node.js download archive for v24.5.0 (shows “npm version v11.5.1”). [1]

[1] (nodejs.org)

Citations:

Node 20's npm version (v10.8.2) does not support OIDC trusted publishing—either add NODE_AUTH_TOKEN or upgrade to Node 24+.

npm OIDC trusted publishing (now GA) requires npm v11.5.1+, which is only bundled with Node.js v24.5.0 and later. The workflow uses Node 20, which bundles npm v10.8.2 (below the required version). This will cause authentication to fail during npm publish.

To fix: either set NODE_AUTH_TOKEN (via a GitHub secret) for traditional token-based authentication, or upgrade node-version to 24 or later.

🤖 Prompt for AI Agents 
In @.github/workflows/deploy-snap.yml around lines 71 - 78, The "Publish to npm"
workflow step uses Node 20 (npm v10.8.2) which doesn't support OIDC trusted
publishing; either set a NODE_AUTH_TOKEN secret for traditional token-based auth
or upgrade the setup-node action to Node 24+ so npm v11.5.1+ can use OIDC. Fix
by updating the workflow's setup-node `node-version` to 24 (or later) so the
`npm publish` commands (the block using inputs.channel and npm publish
--provenance ...) run with an npm that supports OIDC, or keep Node 20 but add an
env entry exporting NODE_AUTH_TOKEN from a GitHub secret and ensure the publish
step uses that token for authentication.