ci: fix release workflow - git push, split oidc from custom github app #1121

matejchalk · 2025-09-25T14:49:39Z

The story continues 😅

Related issues and PRs

Problem 1 - authorizing `git push`

After my last PR, the release workflow failed with:

NX   Unexpected git push error: fatal: could not read Username for 'https://github.com/': No such device or address

This one seems fairly straightforward. I copied persist-credentials: false from an example in actions/create-github-app-token docs. But we need to persist credentials to authorize git push.

Problem 2 - OIDC not compatible with GitHub App

The npm docs on trusted publishers mention id-token: write must be configured, but that permission isn't available for GitHub Apps. After doing some more research, I've concluded that OIDC is only supported when using the default GitHub Actions bot (built-in GITHUB_TOKEN). Which poses a dilemma, because we can't bypass the main branch's Require a pull request before merging rule without the GitHub App.

In the end, I think I've solved this problem by splitting it into 2 workflows:

release.yml
- triggered by push to main (merging a PR)
- runs nx release --skip-publish
- authenticated as GitHub App
- ➡️ no OIDC needed because we're not publishing yet
- ➡️ GitHub App should bypass branch protection on git push
publish.yml
- triggered by pushing a version tag
- runs nx release publish
- authenticated as default GitHub Actions bot with id-token: write permissions
- ➡️ GitHub App not needed because there's no git push
- ➡️ OIDC should work for npm publish

I've also changed our access settings on npmjs.com for all (13 😅) packages:

replaced release.yml with publish.yml
restricted to our release environment (main branch only)
enforced MFA and disallowed tokens completely (most secure option)

nx-cloud · 2025-09-25T14:50:55Z

View your CI Pipeline Execution ↗ for commit 3aa6a2b

Command	Status	Duration	Result
`nx affected -t e2e-test --parallel=1`	❌ Failed	11m 49s	View ↗

☁️ Nx Cloud last updated this comment at 2025-09-25 15:24:52 UTC

nx-cloud · 2025-09-25T14:50:56Z

View your CI Pipeline Execution ↗ for commit 3aa6a2b

☁️ Nx Cloud last updated this comment at 2025-09-25 14:50:55 UTC

pkg-pr-new · 2025-09-25T14:51:08Z

Open in StackBlitz

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1121

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1121

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1121

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1121

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1121

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1121

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1121

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1121

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1121

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1121

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1121

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1121

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1121

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1121

commit: 3aa6a2b

github-actions · 2025-09-25T14:56:14Z

Code PushUp

😟 Code PushUp report has regressed – compared current commit aa7ff0d with previous commit 38b04e4.

🕵️ See full comparison in Code PushUp portal 🔍

🏷️ Categories

🏷️ Category	⭐ Previous score	⭐ Current score	🔄 Score change
Performance	🔴 42	🔴 41
Updates	🟡 85	🟡 84
Code coverage	🟡 90	🟡 90	–
Security	🟡 56	🟡 56	–
Accessibility	🟢 92	🟢 92	–
Best Practices	🟢 100	🟢 100	–
SEO	🟡 61	🟡 61	–
Type Safety	🟢 100	🟢 100	–
Bug prevention	🟢 100	🟢 100	–
Miscellaneous	🟢 100	🟢 100	–
Code style	🟢 100	🟢 100	–
Documentation	🔴 24	🔴 24	–

👎 2 groups regressed, 👎 4 audits regressed, 17 audits changed without impacting score

🗃️ Groups

🔌 Plugin	🗃️ Group	⭐ Previous score	⭐ Current score	🔄 Score change
Lighthouse	Performance	🔴 42	🔴 41
JS Packages	NPM outdated dependencies	🟡 85	🟡 84

19 other groups are unchanged.

🛡️ Audits

🔌 Plugin	🛡️ Audit	📏 Previous value	📏 Current value
JS Packages	Outdated NPM dev dependencies.	🟨 58 outdated package versions (22 major, 28 minor, 8 patch)	🟨 58 outdated package versions (27 major, 23 minor, 8 patch)
Lighthouse	Total Blocking Time	🟥 1,080 ms	🟥 1,180 ms
Lighthouse	Speed Index	🟥 5.9 s	🟥 5.9 s
Lighthouse	Max Potential First Input Delay	🟥 820 ms	🟥 840 ms
Lighthouse	Avoids enormous network payloads	🟩 Total size was 2,032 KiB	🟩 Total size was 2,078 KiB
Lighthouse	Uses efficient cache policy on static assets	🟨 30 resources found	🟨 30 resources found
Lighthouse	JavaScript execution time	🟥 3.4 s	🟥 3.7 s
Lighthouse	Server Backend Latencies	🟩 1,740 ms	🟩 1,470 ms
Lighthouse	Largest Contentful Paint	🟥 10.9 s	🟥 11.1 s
Lighthouse	Minimizes main-thread work	🟥 9.3 s	🟥 9.1 s
Lighthouse	Reduce unused CSS	🟥 Potential savings of 81 KiB	🟥 Potential savings of 102 KiB
Lighthouse	Remove duplicate modules in JavaScript bundles	🟥 Potential savings of 100 KiB	🟥 Potential savings of 100 KiB
Lighthouse	Metrics	🟩 100%	🟩 100%
Lighthouse	Time to Interactive	🟥 12.4 s	🟥 12.6 s
Lighthouse	Reduce unused JavaScript	🟥 Potential savings of 178 KiB	🟥 Potential savings of 179 KiB
Lighthouse	Initial server response time was short	🟩 Root document took 520 ms	🟩 Root document took 590 ms
Lighthouse	Network Round Trip Times	🟩 20 ms	🟩 50 ms
Lighthouse	First Contentful Paint	🟥 3.0 s	🟥 3.0 s
Lighthouse	Avoids an excessive DOM size	🟥 2,265 elements	🟥 2,263 elements
Code coverage	Branch coverage	🟨 85.5 %	🟨 85.5 %
Lighthouse	Cumulative Layout Shift	🟩 0	🟩 0.002