Skip to content

feat: OIDC npm support #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JaysonGCS merged 2 commits into from
Dec 12, 2025
Merged

feat: OIDC npm support #19

JaysonGCS merged 2 commits into from
Dec 12, 2025

Conversation

@JaysonGCS
Copy link
Contributor

@JaysonGCS JaysonGCS commented Dec 12, 2025

[FEATURE] Enable npm Trusted Publishing (OIDC)

Description

This PR enables npm Trusted Publishing (OIDC) for secure, token-free package publishing. By using OpenID Connect, we eliminate the need for long-lived NPM tokens in our secrets, improving security and enabling automatic provenance attestations for our packages.

Changes Made

  • Release Workflow (.github/workflows/release.yml):
    • Added id-token: write permission to the release job (required for OIDC).
    • Updated pnpm/action-setup to v4 (using pnpm v10).
    • Updated actions/setup-node usage.
    • Updated actions/checkout usage.
  • Package Configuration (package.json):
    • Added publishConfig with provenance: true and access: public to enable build attestations and verified publising.

Definition of Done

Before submitting this pull request, please ensure that the following criteria have been met:

  • All automated tests have passed successfully.
  • All manual tests have passed successfully.
  • Code has been reviewed by at least one other team member.
  • Code has been properly documented and commented as needed.
  • All new and existing code adheres to our project's coding standards.
  • All dependencies have been added or removed from the project's README or other documentation as needed.
  • Any relevant documentation or help files have been updated to reflect the changes made in this pull request.
  • Any necessary database migrations have been run.
  • Any relevant UI changes have been reviewed and approved by the UI/UX team.

Additional Notes

Important: This setup requires a one-time configuration on npmjs.com to add the GitHub repository as a trusted publisher. Once configured, the existing NPM_TOKEN can eventually be removed, though it has been retained in the workflow for now as a fallback or parallel option during the transition.

@JaysonGCS
feat: enable OIDC support and provenance for npm publishing
441dc29 
Signed-off-by: “JaysonGCS“ <goh.chung.sern@gmail.com>
@JaysonGCS
chore: retain NPM_TOKEN and update lockfile
63a4b26 
Signed-off-by: “JaysonGCS“ <goh.chung.sern@gmail.com>
@JaysonGCS JaysonGCS force-pushed the feat/oidc-npm-support branch from d93d569 to 63a4b26 Compare December 12, 2025 10:33
@JaysonGCS JaysonGCS merged commit 0c51c2c into main Dec 12, 2025
1 check passed
@JaysonGCS JaysonGCS deleted the feat/oidc-npm-support branch December 12, 2025 10:34
@github-actions
Copy link

github-actions bot commented Dec 20, 2025

🎉 This PR is included in version 1.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JaysonGCS