Skip to content

feat: enable npm Trusted Publishers#56

Merged
nicknisi merged 1 commit into
mainfrom
nicknisi/trusted-publisher
Dec 19, 2025
Merged

feat: enable npm Trusted Publishers#56
nicknisi merged 1 commit into
mainfrom
nicknisi/trusted-publisher

Conversation

@nicknisi

Copy link
Copy Markdown
Member

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

  • Update Node version to 24 (required for npm 11+)
  • Add id-token: write permission for OIDC authentication
  • Add --provenance flag to publish commands
  • Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

  • More secure authentication using OIDC
  • Cryptographic provenance for published packages
  • No need to manage NPM_TOKEN secrets

@greptile-apps

greptile-apps Bot commented Dec 19, 2025

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR enables npm Trusted Publishers for secure, token-free package publishing using OIDC authentication. The workflow now uses GitHub's OIDC provider to authenticate with npm instead of requiring manual NPM_TOKEN secrets.

Key Changes:

  • Added id-token: write permission for OIDC authentication
  • Added --provenance flag to both release and pre-release publish commands for cryptographic attestation
  • Removed NODE_AUTH_TOKEN environment variable (no longer needed with OIDC)
  • Unrelated: Added context7.json configuration file

Security Impact:

  • Eliminates need to store and rotate npm tokens in GitHub secrets
  • Provides cryptographic provenance for published packages
  • Requires proper npm Trusted Publisher configuration on npm registry side

Confidence Score: 5/5

  • This PR is safe to merge with no risk
  • The changes follow npm's official Trusted Publishers implementation pattern correctly. All required components are present: OIDC permissions, provenance flag, and token removal. The implementation is secure and represents a security upgrade from token-based authentication.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Updated to use OIDC authentication with provenance flags, removed manual token management

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant OIDC as GitHub OIDC Provider
    participant NPM as NPM Registry
    participant PKG as Package

    Note over GHA: Release workflow triggered
    GHA->>GHA: Checkout code
    GHA->>GHA: Setup Node 24 with npm registry
    GHA->>GHA: Install dependencies & build
    
    Note over GHA,NPM: Trusted Publisher Authentication
    GHA->>OIDC: Request OIDC token (id-token: write)
    OIDC->>GHA: Return signed JWT token
    GHA->>NPM: Publish with --provenance flag + OIDC token
    NPM->>NPM: Verify OIDC token signature
    NPM->>NPM: Check repository is configured as Trusted Publisher
    NPM->>NPM: Generate cryptographic provenance attestation
    NPM->>PKG: Publish package with provenance
    PKG-->>GHA: Success
Loading

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@nicknisi nicknisi force-pushed the nicknisi/trusted-publisher branch from e767e79 to 74e8ffc Compare December 19, 2025 16:06
@nicknisi nicknisi merged commit 84ccca9 into main Dec 19, 2025
9 checks passed
@nicknisi nicknisi deleted the nicknisi/trusted-publisher branch December 19, 2025 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants