Support OIDC authentication for NPM publishing #52
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NPM has deprecated classic tokens, so this adds support for OIDC authentication (Trusted Publishers) as an alternative to NPM_TOKEN. - Make NPM_TOKEN optional - only configure .npmrc when provided - For OIDC, npm handles auth automatically via GitHub's OIDC provider - Add documentation for OIDC setup in README - Bump version to 0.0.16 Fixes #50 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
billfienberg
added a commit
to Shopify/ui-extensions
that referenced
this pull request
Jan 8, 2026
Points to Shopify/snapit@support-oidc-authentication to test OIDC support before merging the snapit PR. Related: Shopify/snapit#52 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
kbav
reviewed
Jan 8, 2026
There was a problem hiding this comment.
surprised to not see added code but that could just as well speak to my ignorance for OIDC support 😅
There was a problem hiding this comment.
I guess mainly so it doesn't throw an error within the absence of a token
billfienberg
added a commit
to Shopify/ui-extensions
that referenced
this pull request
Jan 8, 2026
Points to Shopify/snapit@support-oidc-authentication to test OIDC support before merging the snapit PR. Related: Shopify/snapit#52 Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2 tasks
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org' | ||
|
|
There was a problem hiding this comment.
Let's add the requirement here for the CLI of npm to be 11.5.2 at least. Else the user will get cryptic failures https://docs.npmjs.com/trusted-publishers
Contributor
Author
There was a problem hiding this comment.
✅ 11.5.2 requirement has been added in 6ca8a03
Contributor
Author
|
Successful snapshot version: |
- Change OIDC from "recommended" to "required" - Add npm CLI 11.5.2+ version requirement for OIDC - Remove NPM_TOKEN workflow example and documentation - Remove NPM_TOKEN handling code from index.ts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
package.json
Outdated
| "name": "snapit", | ||
| "private": true, | ||
| "version": "0.0.15", | ||
| "version": "0.0.16", |
There was a problem hiding this comment.
If we bump this as a patch with this many breaking changes we should check who is consuming this and whether or not they are already using OIDC, else we might break a lot of the consumers.
According to SemVer, in pre 1.0.0 versions a minor version can be used to indicate breaking changes
Minor version bump per SemVer conventions for pre-1.0.0 breaking changes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
JoviDeCroock
approved these changes
Jan 13, 2026
kbav
approved these changes
Jan 13, 2026
kbav
left a comment
kbav
left a comment
There was a problem hiding this comment.
Approving based on seeing this branch work for ui-extensions repo 🥳
Mark NPM_TOKEN as deprecated but still functional for external users who may have valid tokens. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
alex-page
reviewed
Jan 13, 2026
Member
alex-page
left a comment
alex-page
left a comment
There was a problem hiding this comment.
If the OIDC token is the new way for NPM to publish could we remove the backwards compat completely? I don't see the point in maintaining that.
OIDC authentication is now the only supported method for npm publishing. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
Author
✅ Backways compat has been removed in b026c0f |
alex-page
approved these changes
Jan 14, 2026
5 tasks
lrsterrett
added a commit
to Shopify/ui-extensions
that referenced
this pull request
Jan 23, 2026
* Improved Table examples * added numeric to the default example as well * Update content on customer accounts polaris page * Version Packages (#3457) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Solves all issues after passing validation on the admin examples * fixed tooltip with accessory after removing the div * removed some warnings on the examples * Add component method docs for Customer accounts (#3519) ### Background Part of shop/issues-checkout#8471 Related to Shopify/shopify-dev#64144 This PR adds documentation for using methods in Polaris Web Components within static pages of the customer account surface. ### Solution Added a new "Methods" section to the Polaris Web Components documentation that explains: - What methods are (functions for programmatic control) - When to use methods (for actions that can't be achieved through property changes alone) - Examples showing how to use methods like `hideOverlay()` with components like Modal The documentation includes code examples in both JSX and vanilla JavaScript formats, demonstrating how to create and control a modal using methods. ### 🎩 See Shopify/shopify-dev#64144 for details ### Checklist - [x] I have 🎩'd these changes - [ ] I have updated relevant documentation * Add best practices to all customer account components (#3490) ### Background Part of shop/issues-checkout#8472 Part of shop/issues-checkout#8578 Part of shop/issues-checkout#8511 Part of shop/issues-checkout#8508 Part of shop/issues-checkout#8507 Part of shop/issues-checkout#8509 Part of shop/issues-checkout#8510 Part of shop/issues-checkout#8512 Related to Shopify/shopify-dev#63804 This PR improves the documentation for Customer Account UI Extension components by enhancing best practices sections with more detailed, actionable guidance. ### Solution Updated the best practices sections for multiple components to provide clearer, more specific guidance for developers. The changes include: - **Avatar**: Improved readability with better formatting and more concise language - **ButtonGroup**: Added a new best practices section with guidelines for grouping actions - **CustomerAccountAction**: Expanded guidance on information collection and form design - **ImageGroup**: Added recommendations for accessibility and visual spacing - **Menu**: Restructured content with clearer headings and more detailed organization principles - **Page**: Reorganized with clear subsections for headings, subheadings, and page-level actions - **Section**: Added a new best practices section with guidance on headings and actions These improvements make the documentation more actionable and help developers create more consistent, user-friendly interfaces. ### 🎩 See Shopify/shopify-dev#63804 for details ### Checklist - [x] I have 🎩'd these changes - [ ] I have updated relevant documentation * fixes issues in a bunch of components, patterns and code blocks * fixed the download attribute * reverting changes on s-grid gap * Add footerHelp, resourceList, and actionMenu patterns with examples and screenshots * Fix Aria labels * Removed action menu * Remove action menu doc file * Add aspectRatio comment to empty state examples * Update admin ui extensions and fix TextField children * fix for PR comments * Version Packages * 20155: Add Box to BlockExtensionComponents * Version Packages * Use currentTarget consistently * [Docs]: Fast-follows changes to components docs and APIs (#3527) * known changes * more changes * changeset * changeset updates * build-docs file * Version Packages (#3535) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Adds components to POS cart line item interface * Switch last changeset to patch Submitting a minor release results in an incorrect version bump for the package release PR, so we're going to try to release updates to POS cart api as a patch instead. * Version Packages * Add DropZone docs to admin extensions * Document window.close() for pos ui extensions * Expose il8n for POS ui extensions * added two new examples on Page to showcase breadcrumbs and secondary actions * Improved API and prop descriptions fo 2025-10 Component prop descriptions Component descriptions in index page cards Event data descriptions Type descriptions component descriptions lint Prop description fixes Additional context in descriptions contractions break up longer descs remove enhanced / improved language * Add changeset patch for pos ui extensions il8n * Add code examples of POS subscriptions UI extension * Move ProductSortType desc * Add 64kb limit notes * Add backticks around 2025-10 * Improved descriptions for targets, APIs, and components * 20149: Add mcp docs for POS (#3549) * Remove 'and detail pages' from Tile component description * Adds point of sale LineItemComponent type export * Version Packages * Implemented icon preview as a subSection of Icon docs * going back to the inline iframe approach * Supporting dark mode * Add UID to discount example configuration * Add UID and description to Shopify extension config * use filter:invert for dark mode on icon * Fixed race condition on icon explorer when switching dark mode and navigating * add tipAmount to BaseTransactionComplete type (#3586) ### Background Our compliance partners need tipAmount available in the data payload they receive for reporting. This PR updates the BaseTransactionComplete type to include tipAmount as optional. shop/issues-retail#20523 shop/issues-retail#20463 ### Solution Add tipAmount to BaseTransactionComplete type ### Checklist - [x] I have 🎩'd these changes - [ ] I have updated relevant documentation * Remove unstable reference from customer api doc * Improve example titles and descriptions * Alphabetize examples by title * fixes race condition of iframe not receiving theme value * added fuzzy search to icon finder * Add initial batch * Add more components * Add more pos ui extension doc examples * Add more docs * Add back in Banner docs * Best practices and limitations * Reorganize sub-categories * linting * linting * Update Image.d.ts * fix snapit.yml (#3599) * Add changeset * add composed choice example to ChoiceList * [POS UI extensions version 2025-10]: Refine example descriptions, limitations, and links (#3605) * Refine example descriptions * Refine limitations * Add cross-reference to other component docs Fix version Fix type error Move subSection to original position * Add missing example descriptions Fixes * Further refinements Wording * Integrate feedback from Tim * POS UI extensions components reference docs updates (#3607) * Update Components section to remove inappropriate content from limitations sections and add to description * Linting * Formatting, typos, and other minor revisions --------- Co-authored-by: Michelle Vinci <michelle.vinci@shopify.com> * POS UI extensions components reference docs updates (#3607) * Update Components section to remove inappropriate content from limitations sections and add to description * Linting * Formatting, typos, and other minor revisions --------- Co-authored-by: Michelle Vinci <michelle.vinci@shopify.com> * code styling --------- Co-authored-by: Tim Trevor <tim.trevor@shopify.com> * Rename ProductSearch to Product Search (#3610) * [Copy edits]: POS UI extensions versions 2025-10 (#3619) * Revised component, prop, and example descriptions Revisions on second half of components Fixes * Revised repetitive 'A callback function' statement * Fix links to point to 2025-10 * Incorporate feedback from Tim * Clarify how to layout multiple form fields * Remove POS camera scanner examples * Redefine subcategory for Storage API (#3635) * Add back missing limitations to storage api docs * Improve admin component documentation for common usage patterns * Add comment on paragraph * docs: fix metafield and metaobject definition intent docs * Update change set to patch update for alt prop to POS Image * Version Packages * update npm deploy workflow to OIDC. (#3662) * fix latest npm release tagging. (#3663) * Add changeset to fix npm latest tag * Version Packages (#3666) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix latest npm release tagging. (#3668) * fix latest tag (#3669) * Version Packages (#3670) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Fix latest npm release tagging for `2025-10` (#3671) * fix latest npm release tagging. * add temporary `workflow_dispatch` for deploy workflow. * Remove children slot from DropZone docs * add manual fix (#3679) * Add temporary manual sync step for latest NPM tag (#3684) * Fix NPM OIDC authentication for manual dist-tagging (#3685) * update deploy workflow to use oidc and classic hybrid approach (#3686) * remove temp steps (#3689) * Fix snapit workflow: use comment_command instead of trigger_comment (#3707) The snapit action's source code reads 'comment_command' but the action.yml was renamed to 'trigger_comment' without rebuilding the dist. This caused /snapit comments to be silently ignored. Using 'comment_command' which is the actual input name the code reads. * Move snapit to unified OIDC ready deploy.yml workflow * [snapit] Fix warning and try a fix for yarn bild * [snapit] revert to comment_command * Fix snapit: remove changeset pre exit from build script The 'changeset pre exit' command fails because the repo is not in pre-release mode (no .changeset/pre.json file exists). This command was incorrectly added and causes all /snapit requests to fail. * Test snapit OIDC authentication branch (#3713) Points to Shopify/snapit@support-oidc-authentication to test OIDC support before merging the snapit PR. Related: Shopify/snapit#52 Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * [Admin UI extensions 2025-10]: IA for Target APIs and components (#3696) * IA for Target APIs linting Further revision * IA for components revert file change Revert file change * Add npm update step in deploy workflow Added step to update npm to the latest version before creating a snapshot. * update .nvmrc to match dev.yml (#3720) * Add admin.app.tools.data extension target (#3706) * Add admin.app.search.data extension target * Add changeset for admin.app.search.data target * Format changeset file with Prettier * Rename admin.app.search.data to admin.app.tools.data - Rename SearchDataApi to ToolsDataApi - Rename SearchDataOutput to ToolsDataOutput - Rename api/search-data directory to api/tools-data - Update extension target name * Rename SearchResult to ToolResult Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Change admin.app.tools.data to return undefined Remove ToolsDataOutput and ToolResult types as the extension target now returns undefined per issue requirements. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Use StandardApi for admin.app.tools.data target Remove custom ToolsDataApi in favor of StandardApi. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * Fix deploy: update Node.js to v20.17.0 for npm@11.7 compatibility npm@11.7 requires Node.js ^20.17.0 || >=22.9.0, but the project was using v20.10.0 which caused the deploy workflow to fail. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * use latest version of snapit (#3724) * Version Packages (#3722) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * lint fixes * Resolve conflicts for Admin * Update api version in customer account example * use latest version of snapit (#3724) * fix conflicts with POS APIs. * pos components in line with 2026-01-rc --------- Co-authored-by: David Cortés <477473+davebcn87@users.noreply.github.com> Co-authored-by: andrewmcgov <andrew.mcgoveran@shopify.com> Co-authored-by: shopify-github-actions-access[bot] <109624739+shopify-github-actions-access[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Andrew McGoveran <andrewmcgoveran@gmail.com> Co-authored-by: Lianne Sit <lsit@users.noreply.github.com> Co-authored-by: Maxence Parenteau <maxence.parenteau@shopify.com> Co-authored-by: Sam Rose <11774595+sam-b-rose@users.noreply.github.com> Co-authored-by: andy-chhuon <andy.chhuon@shopify.com> Co-authored-by: Jovi De Croock <jovi.decroock@shopify.com> Co-authored-by: Igor Martins <m.oliverunb@gmail.com> Co-authored-by: Jovi De Croock <decroockjovi@gmail.com> Co-authored-by: Alex Graffeo-Cohen <alex.graffeocohen@shopify.com> Co-authored-by: Nathan Oliveira <nathan.oliveira@shopify.com> Co-authored-by: Nathan Oliveira <nathanjollee@gmail.com> Co-authored-by: Victor Chu <victor.chu@shopify.com> Co-authored-by: Michelle Vinci <michelle.vinci@shopify.com> Co-authored-by: Jane Zhu <jane.zhu@shopify.com> Co-authored-by: Jane Zhu <janezhu918@gmail.com> Co-authored-by: David Cameron <david.cameron@shopify.com> Co-authored-by: David Cameron <davejcameron@users.noreply.github.com> Co-authored-by: Stephanie Ordaz <stephanie.ordaz@shopify.com> Co-authored-by: Chad Cromwell <chad.cromwell@shopify.com> Co-authored-by: Britta Evans-Fenton <britta.evansfenton@shopify.com> Co-authored-by: H T <fatbattk@users.noreply.github.com> Co-authored-by: Prakash Raman <prakash.raman@shopify.com> Co-authored-by: Tim Trevor <tim.trevor@shopify.com> Co-authored-by: Prakash Raman <prakash.raman.ka@gmail.com> Co-authored-by: Victor Chu <victorchu1996@gmail.com> Co-authored-by: Olavo Santos <olavo.a.santos@gmail.com> Co-authored-by: Raman Lally <33904740+Rmnlly@users.noreply.github.com> Co-authored-by: Bill Fienberg <billfienberg@users.noreply.github.com> Co-authored-by: Kyle Bavender <kyle.bavender@shopify.com> Co-authored-by: Bill Fienberg <bill.fienberg@shopify.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Trish Ta <trish.ta@gmail.com> Co-authored-by: Han T. <han.tan@shopify.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
NPM has deprecated classic tokens, so this PR removes
NPM_TOKENsupport and requires OIDC authentication (Trusted Publishers) for npm publishing.Changes
NPM_TOKENsupport - Classic tokens are deprecated by NPMBreaking Changes
NPM_TOKENenvironment variable is no longer supportedid-token: writepermissionactions/setup-nodewithregistry-url: 'https://registry.npmjs.org'NPM_CONFIG_PROVENANCE: trueRequirements
Fixes #50