Skip to content

Fix npm OIDC auth with push trigger #1225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Ndpnt merged 1 commit into from
Jan 12, 2026
Merged

Fix npm OIDC auth with push trigger #1225

Ndpnt merged 1 commit into from
Jan 12, 2026

Conversation

@Ndpnt
Copy link
Contributor

@Ndpnt Ndpnt commented Jan 12, 2026

No description provided.

@Ndpnt
Fix npm OIDC auth with push trigger
f5aa085 
Empirical observation: the workflow succeeds with "on: push" but fails with "on: pull_request_target". This suggests npm's OIDC validation may not support the pull_request subject claim format, though this isn't explicitly documented by npm.

This change is safe because `main` is protected and only accepts PR merges (except OTA-Release-bot for automated release commits). The changelog validation logic also prevents accidental releases.
clementbiron
clementbiron approved these changes Jan 12, 2026
View reviewed changes
Copy link
Member

@clementbiron clementbiron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really understand what you're doing, and I think I would need a lot of context and time to do a proper review. I approve to try to get the release working out as soon as possible.

@Ndpnt Ndpnt merged commit 62e1a24 into main Jan 12, 2026
14 checks passed
@Ndpnt Ndpnt deleted the fix-release branch January 12, 2026 16:22
MattiSG
MattiSG reviewed Jan 13, 2026
View reviewed changes
Copy link
Member

@MattiSG MattiSG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems very dangerous to me. I understand that now, the release workflow will be called on every push to main, not anymore on merged pull requests only. How will this broadening of release triggers not create loops when the release workflow creates a commit on main to modify the changelog?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MattiSG MattiSG MattiSG left review comments

@clementbiron clementbiron clementbiron approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ndpnt @MattiSG @clementbiron