Migrate to npm Trusted Publishing

[AtofStryker]

Why migrate to Trusted Publishing?

As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).

Benefits:

• Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
• No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
• Automatic Provenance Attestation: Provides better audit trails and security transparency
• Simplified Security Model: Reduces attack surface by eliminating persistent credentials

Implementation

Update semantic-release

Update semantic-release from 24.2.3 to 25.0.1 inside the github workflow, which adds support for trusted publishing. See the release notes for details.

Configure Trusted Publishing

1. Set up npm Trusted Publishing in the npm dashboard for @cypress scope packages
2. Update the GitHub Actions workflow to use OIDC instead of NPM_TOKEN secret
3. Remove the NPM_TOKEN secret from repository settings once migration is complete

Reference

• npm Trusted Publishing documentation

Acceptance Criteria

• semantic-release updated to 25.0.1
• npm Trusted Publishing configured for this repository
• GitHub Actions workflow updated to use OIDC
• NPM_TOKEN secret removed from repository
• Successful test release using trusted publishing

[MikeMcC399]

@AtofStryker

Thanks for adding this task and for the detail you provided!

This is probably a good repo to pilot this change.

• Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
• There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see Update action to run under Node.js 24 #1519), which would be a prerequisite to update to semantic-release >=25.0.0

Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.

[AtofStryker]

@AtofStryker

Thanks for adding this task and for the detail you provided!

This is probably a good repo to pilot this change.

• Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
• There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see Update action to run under Node.js 24 #1519), which would be a prerequisite to update to semantic-release >=25.0.0

Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.

@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.

[MikeMcC399]

@AtofStryker

@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.

Thanks for the clarification! I've added myself as assignee here for the bits that I can contribute.