Skip to content

feat: enable npm provenance with OIDC and Node 24 for semantic-release#413

Merged
Jamie-BitFlight merged 2 commits intomainfrom
claude/fix-semantic-release-node-version-011CUpBbScMduUTctqgM3pYN
Nov 5, 2025
Merged

feat: enable npm provenance with OIDC and Node 24 for semantic-release#413
Jamie-BitFlight merged 2 commits intomainfrom
claude/fix-semantic-release-node-version-011CUpBbScMduUTctqgM3pYN

Conversation

@Jamie-BitFlight
Copy link
Contributor

@Jamie-BitFlight Jamie-BitFlight commented Nov 5, 2025

  • Add Node 24 setup for semantic-release (satisfies v25.0.1 requirement: ^22.14.0 || >= 24.10.0)
  • Enable npm provenance with OIDC authentication (no manual token needed)
  • Remove NPM_TOKEN and NODE_AUTH_TOKEN from workflow (OIDC handles auth automatically)
  • Configure @semantic-release/npm with provenance: true for attestation

How it works:

  • Workflow has id-token: write permission for OIDC
  • npm CLI detects provenance: true in package.json
  • npm automatically exchanges GitHub OIDC token for npm authentication
  • Package published with provenance attestation

Description

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code refactoring
  • Performance improvement
  • Test update
  • Build/CI update
  • Other (please describe):

Related Issues

  • Fixes #
  • Related to #

Changes Made

Testing

  • All existing tests pass
  • Added new tests for new functionality
  • Manually tested the changes
  • Updated documentation

Checklist

  • My code follows the project's code style
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

@claude
feat: enable npm provenance with OIDC and Node 24 for semantic-release
9e442a7 
- Add Node 24 setup for semantic-release (satisfies v25.0.1 requirement: ^22.14.0 || >= 24.10.0)
- Enable npm provenance with OIDC authentication (no manual token needed)
- Remove NPM_TOKEN and NODE_AUTH_TOKEN from workflow (OIDC handles auth automatically)
- Configure @semantic-release/npm with provenance: true for attestation

How it works:
- Workflow has id-token: write permission for OIDC
- npm CLI detects provenance: true in package.json
- npm automatically exchanges GitHub OIDC token for npm authentication
- Package published with provenance attestation
@coderabbitai
Copy link

coderabbitai bot commented Nov 5, 2025
edited
Loading

Caution

Review failed

The head commit changed during the review from 9e442a7 to 7af09a0.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch claude/fix-semantic-release-node-version-011CUpBbScMduUTctqgM3pYN

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 5, 2025
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 49.81% 402 / 807
🔵 Statements 50.48% 414 / 820
🔵 Functions 65.74% 71 / 108
🔵 Branches 49.38% 200 / 405
File CoverageNo changed files found.
Generated in workflow #248 for commit 7af09a0 by the Vitest Coverage Report Action

@Jamie-BitFlight Jamie-BitFlight merged commit c526aae into main Nov 5, 2025
10 checks passed
@Jamie-BitFlight Jamie-BitFlight deleted the claude/fix-semantic-release-node-version-011CUpBbScMduUTctqgM3pYN branch November 5, 2025 20:54
Jamie-BitFlight pushed a commit that referenced this pull request Nov 5, 2025
@semantic-release-bot
chore(release): 1.9.0 [skip ci]
5d5660d 
# [1.9.0](v1.8.0...v1.9.0) (2025-11-05)

### Bug Fixes

* add division by zero check and improve diff error handling ([cc937f9](cc937f9))
* add integration test and resolve linting issues ([9e8993a](9e8993a)), closes [#335](#335) [#335](#335)
* apply linting and formatting fixes ([a4392aa](a4392aa))
* correct lint:eslint:fix script and apply auto-fixes ([fa7bcee](fa7bcee))
* remove match regex from nconf env config to enable INPUT_ var transformation ([b61f097](b61f097))
* update nconf import for CommonJS/ESM compatibility ([#409](#409)) ([1878c34](1878c34))
* use Node 24 for semantic-release to satisfy version requirement ([529a2d2](529a2d2))
* use Node 24 for semantic-release to satisfy version requirement ([5e0acc4](5e0acc4))
* use sanitized artifact names to avoid special characters ([f64a248](f64a248))

### Features

* add integration test workflow for real-world repositories ([ca961e5](ca961e5))
* add matrix testing for Node.js 20.x and 24.x versions ([aa4ee85](aa4ee85))
* add Value column to outputs table and pre-commit hook documentation ([81a096d](81a096d))
* enable npm provenance for automated publishing without manual token ([b2484cf](b2484cf))
* enable npm provenance with OIDC and Node 24 for semantic-release ([#413](#413)) ([c526aae](c526aae))
Jamie-BitFlight pushed a commit that referenced this pull request Nov 5, 2025
@semantic-release-bot
chore(release): 1.8.0 [skip ci]
cef0c6c 
# [1.8.0](v1.7.2...v1.8.0) (2025-11-05)

### Bug Fixes

* add 'vibes' to contributions for Jamie Nelson ([#414](#414)) ([684c155](684c155))
* add division by zero check and improve diff error handling ([cc937f9](cc937f9))
* add integration test and resolve linting issues ([9e8993a](9e8993a)), closes [#335](#335) [#335](#335)
* apply linting and formatting fixes ([a4392aa](a4392aa))
* correct lint:eslint:fix script and apply auto-fixes ([fa7bcee](fa7bcee))
* **defaults:** fix npm release blockage ([34e2f46](34e2f46))
* remove match regex from nconf env config to enable INPUT_ var transformation ([b61f097](b61f097))
* update nconf import for CommonJS/ESM compatibility ([#409](#409)) ([1878c34](1878c34))
* use Node 24 for semantic-release to satisfy version requirement ([529a2d2](529a2d2))
* use Node 24 for semantic-release to satisfy version requirement ([5e0acc4](5e0acc4))
* use sanitized artifact names to avoid special characters ([f64a248](f64a248))

### Features

* add integration test workflow for real-world repositories ([ca961e5](ca961e5))
* add matrix testing for Node.js 20.x and 24.x versions ([aa4ee85](aa4ee85))
* add Value column to outputs table and pre-commit hook documentation ([81a096d](81a096d))
* enable npm provenance for automated publishing without manual token ([b2484cf](b2484cf))
* enable npm provenance with OIDC and Node 24 for semantic-release ([#413](#413)) ([c526aae](c526aae))
* **refactor:** JSDocs added, Unit Tests added using ViTest, refactored for maintainability ([#239](#239)) ([0451f2c](0451f2c))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jamie-BitFlight @claude