This repository was archived by the owner on Jan 27, 2026. It is now read-only.
This repository was archived by the owner on Jan 27, 2026. It is now read-only.
Migrate to npm Trusted Publishing #174
Description
Why migrate to Trusted Publishing?
As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).
Benefits:
- Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
- No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
- Automatic Provenance Attestation: Provides better audit trails and security transparency
- Simplified Security Model: Reduces attack surface by eliminating persistent credentials
Implementation
Update semantic-release
Update semantic-release from 24.2.7 to 25.0.1, which adds support for trusted publishing. See the release notes for details.
Configure Trusted Publishing
- Set up npm Trusted Publishing in the npm dashboard for
@cypressscope packages - Update the GitHub Actions workflow to use OIDC instead of
NPM_TOKENsecret - Remove the
NPM_TOKENsecret from repository settings once migration is complete
Reference
Acceptance Criteria
- semantic-release updated to 25.0.1
- npm Trusted Publishing configured for this repository
- GitHub Actions workflow updated to use OIDC
-
NPM_TOKENsecret removed from repository - Successful test release using trusted publishing