Skip to content

fix: Apply OIDC auth to publish packages #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
irrationnelle merged 1 commit into from
Nov 4, 2025
Merged

fix: Apply OIDC auth to publish packages #46

irrationnelle merged 1 commit into from
Nov 4, 2025

Conversation

@irrationnelle
Copy link
Collaborator

@irrationnelle irrationnelle commented Nov 4, 2025

Description

Summary

This commit transitions the package publishing workflow from token-based authentication to OpenID Connect (OIDC) authentication by removing the explicit NPM_TOKEN environment variable reference from the GitHub Actions workflow configuration.

Technical Details

The modification involves removing the NPM_TOKEN secret environment variable from the changesets publishing step in .github/workflows/publish.yml. This change reflects the adoption of OIDC-based authentication, which provides a more secure authentication mechanism by eliminating the need for long-lived, static authentication tokens.

Security and Operational Benefits

Enhanced Security Posture:

  • Eliminates the requirement to store and manage long-lived npm authentication tokens as repository secrets
  • Reduces the attack surface by removing static credentials that could be compromised or leaked
  • Leverages short-lived, automatically-rotating credentials generated through the OIDC trust relationship

Improved Operational Efficiency:

  • Removes the maintenance burden associated with token rotation and renewal
  • Simplifies the authentication workflow by relying on GitHub's native identity provider integration
  • Reduces the risk of publishing failures due to expired or revoked tokens

Implementation Context

The workflow maintains the permissions: write-all configuration, which grants the necessary permissions for the GitHub Actions job to obtain OIDC tokens and authenticate with npm's registry. The changesets/action package publishing mechanism remains unchanged, with only the authentication method being modernized.

This change aligns with current best practices for GitHub Actions security and npm registry authentication patterns.

@irrationnelle irrationnelle self-assigned this Nov 4, 2025
@irrationnelle irrationnelle added the enhancement New feature or request label Nov 4, 2025
@changeset-bot
Copy link

changeset-bot bot commented Nov 4, 2025

⚠️ No Changeset found

Latest commit: 0bf0773

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Nov 4, 2025
edited
Loading

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated publish workflow security by reducing credentials passed to build actions.

Walkthrough

Removed the NPM_TOKEN environment variable from the "Create PR or release packages" step in the publish workflow to reduce the number of credentials passed to the changesets action, improving security by limiting token exposure.

Changes

Cohort / File(s) Summary
Workflow credential reduction
.github/workflows/publish.yml		 Removed NPM_TOKEN environment variable from the changesets action step to reduce exposed credentials

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the main change: transitioning from token-based to OIDC authentication for npm package publishing.
Description check ✅ Passed The description is directly related to the changeset, providing clear context about the OIDC authentication transition and its security benefits.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/apply-oidc-npm-package
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7414e7b and 0bf0773.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml (0 hunks)
💤 Files with no reviewable changes (1)
  • .github/workflows/publish.yml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@irrationnelle irrationnelle merged commit 183c57d into main Nov 4, 2025
5 checks passed
@irrationnelle irrationnelle deleted the fix/apply-oidc-npm-package branch November 4, 2025 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orionmiz orionmiz orionmiz approved these changes

Assignees

@irrationnelle irrationnelle

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@irrationnelle @orionmiz