Skip to content

Migrate to OIDC Trusted Publishing #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ericcrosson-bitgo merged 1 commit into from
Nov 5, 2025
Merged

Migrate to OIDC Trusted Publishing #36

ericcrosson-bitgo merged 1 commit into from
Nov 5, 2025

Conversation

@tanjeemh
Copy link

@tanjeemh tanjeemh commented Nov 4, 2025
edited
Loading

What problem are we solving?
With OIDC Trusted Publishing, GHA authenticates directly with npm using short-lived identity tokens instead.

  • Eliminates the need to store long-lived npm tokens, improving security.
  • Reduces secret management complexity across BitGo repositories, making maintenance simple.
  • Improved scalability now that our release pipelines are self-contained within GitHub Actions.
  • Necessary for npm compliance with their removal of classic npm-token's.

Why solve it this way?
This PR migrates our semantic-release workflow to use OIDC Trusted Publishing for npm releases. Previously, our release pipeline required an npm-token secret to authenticate with npm during publishing. This approach has since been discouraged by npm themselves.

npm notice SECURITY NOTICE: 
   Breaking changes starting October 13, 2025. 
   New tokens will be limited to a maximum lifetime of 90 days, and TOTP setup will be disabled. 
   Classic tokens will be revoked in November. 
   Update your CI/CD workflows to avoid disruption. Learn more: https://gh.io/npm-token-changes

Fixes:

  • Our semantic-release-action/typescript reusable workflow no longer enforces npm-token as a required secret, allowing us to remove that input so GHA knows to publish via OIDC Trusted Publishing.
  • Add id-token: write permissions to the workflow to allow for GHA to request an OIDC token at runtime.
  • Pinned the workflow the the updated version of semantic-release-action/typescript/release.yml@v3.1.0

Testing:
From our test/check logs, we can confirm that OIDC is being used instead of an npm token to establish a connection to npm.

[semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
[semantic-release] [@semantic-release/npm] › ℹ  Verifying OIDC context for publishing from GitHub Actions
[semantic-release] [@semantic-release/npm] › ℹ  OIDC token exchange with the npm registry succeeded
[semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/npm"

As confirmation of a successful release, see the beta pre-release tag that was created in the repo and in npmjs: https://www.npmjs.com/package/@bitgo-forks/io-ts/v/2.1.5-beta.1
https://github.com/BitGo/io-ts/actions/runs/19077165991
image

*Note: this PR should not trigger a new official release to @bitgo-forks/io-ts *

@tanjeemh tanjeemh requested a review from a team as a code owner November 4, 2025 15:56
ericcrosson-bitgo
ericcrosson-bitgo requested changes Nov 4, 2025
View reviewed changes
@ericcrosson-bitgo
Copy link

ericcrosson-bitgo commented Nov 4, 2025

Also, this is a tiny point, but I suggest placing the "update version" commit before the "remove npm-token input" commit, since that order is technically safe, but if we were to run CI on each commit in the current order, there would be errors due to invalid inputs!

@ericcrosson-bitgo
Copy link

ericcrosson-bitgo commented Nov 4, 2025

@tanjeemh Great PR description. Can you please include hyperlinks to where we conducted our testing? Workflow run logs will only be accessible for 90 days, so consider screenshotting those if necessary, but we will still be able to see the pass/fail outcome of a workflow run. Also suggest linking to the successfully-created beta tag and pre-release on npmjs.com as evidence of a successful run

@ericcrosson-bitgo ericcrosson-bitgo mentioned this pull request Nov 4, 2025
Closed
@tanjeemh
ci: pin to version v3.1.0
9879e61 
The reason we are using the "ci" prefix for the commit message is because We do not want to actually trigger a new release here, take a look at DX-2123 for more details.
Now that `npm-token` is no longer a required secret, we can check the release logs and see that OIDC Trusted Publishing is being used.
The change to the `npm-token` requirement was made in the pinned SHA version 3.1.0 of semantic-release-action/typescript.

Ticket: DX-2243
ericcrosson-bitgo
ericcrosson-bitgo approved these changes Nov 5, 2025
View reviewed changes
Copy link

@ericcrosson-bitgo ericcrosson-bitgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tanjeemh !

@ericcrosson-bitgo ericcrosson-bitgo merged commit 06e3e9c into master Nov 5, 2025
16 of 19 checks passed
@ericcrosson-bitgo ericcrosson-bitgo deleted the beta branch November 5, 2025 17:47
@github-actions
Copy link

github-actions bot commented Nov 5, 2025

🎉 This PR is included in version 2.1.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ericcrosson-bitgo
Copy link

ericcrosson-bitgo commented Nov 5, 2025

Darn, it still created a release. I'll unpublish it since it is immaterial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericcrosson-bitgo ericcrosson-bitgo ericcrosson-bitgo approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tanjeemh @ericcrosson-bitgo