Migrate to npm Trusted Publishing

[AtofStryker]

Why migrate to Trusted Publishing?

As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).

Benefits:

• Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
• No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
• Automatic Provenance Attestation: Provides better audit trails and security transparency
• Simplified Security Model: Reduces attack surface by eliminating persistent credentials

Implementation

Configure Trusted Publishing

1. Set up npm Trusted Publishing in the npm dashboard for @cypress-design scope packages
2. Update the GitHub Actions workflow to use OIDC instead of NPM_TOKEN secret
3. Remove the NPM_TOKEN secret from repository settings once migration is complete

Reference

• npm Trusted Publishing documentation

Acceptance Criteria

• npm Trusted Publishing configured for this repository
• GitHub Actions workflow updated to use OIDC
• NPM_TOKEN secret removed from repository
• Successful test release using trusted publishing