ci: add OIDC permissions for npm trusted publishing #434
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable npm trusted publishing with OpenID Connect (OIDC) by adding the required permissions to the publish workflow. **What is npm Trusted Publishing?** npm trusted publishing allows secure publishing of packages directly from CI/CD workflows without storing long-lived npm authentication tokens. Instead, GitHub Actions generates short-lived, cryptographically-signed OIDC tokens that are specific to each workflow execution and cannot be reused. **Changes Made:** - Add `id-token: write` permission to enable OIDC token generation - Add `contents: read` permission for workflow to read repository contents - Add comment explaining automatic OIDC handling by npm CLI v11.5.1+ **Security Benefits:** - ✅ Eliminates long-lived token exposure risk - ✅ Automatic package provenance attestation - ✅ Each publish uses unique, short-lived tokens - ✅ No manual token rotation needed - ✅ Tokens cannot be extracted or reused **Prerequisites:** - npm CLI v11.5.1 or later (already in use) - Trusted publisher configured on npmjs.com (user has already set this up) - GitHub-hosted runners only (currently using ubuntu-latest ✓) **How It Works:** When the workflow runs, the npm CLI automatically detects the OIDC token generated by GitHub Actions and uses it for authentication. No additional environment variables or token storage needed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| if: github.event_name == 'push' && ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' ) | ||
| permissions: | ||
| id-token: write | ||
| contents: read |
There was a problem hiding this comment.
Bug: Insufficient permissions break GitHub release creation
The permissions block sets contents: read, but the merge-release action needs contents: write to create GitHub releases and tags. When job-level permissions are explicitly defined, GitHub Actions only grants those specific permissions—all defaults are revoked. Before this change, the workflow used default permissions which include write access. This change will cause release creation to fail with a permission denied error.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Enable npm trusted publishing with OpenID Connect (OIDC) by adding the required permissions to the GitHub Actions publish workflow.
What is npm Trusted Publishing?
npm trusted publishing allows packages to be published directly from CI/CD workflows without storing long-lived authentication tokens. Instead:
Changes Made
publish.yml Updates
Added job-level permissions to the
publishjob:Added comment explaining automatic OIDC handling by npm CLI.
Security Benefits
✅ Eliminates token exposure risk - No long-lived tokens stored in secrets
✅ Automatic provenance - npm CLI v11.5.1+ automatically generates package provenance attestations
✅ Unique per-publish - Each publish uses a different, short-lived token
✅ No manual rotation - Tokens are automatically managed by GitHub Actions
✅ Cannot be reused - Tokens are cryptographically bound to specific workflows
How It Works
Prerequisites Verified
✅ npm CLI v11.5.1 or later (already in use via node 22.x)
✅ GitHub-hosted runners (using ubuntu-latest)
✅ Trusted publisher configured on npmjs.com (user confirmed)
✅ Standard node_modules/.bin/npm available in workflow
Testing
This change only adds permissions - the actual OIDC token handling is automatic in npm CLI v11.5.1+. The workflow will continue to work with the fallback NPM_AUTH_TOKEN for older npm versions, while newer npm versions will prioritize the OIDC token.
References
🤖 Generated with Claude Code
Note
Add
id-token: writeandcontents: readpermissions to thepublishjob in.github/workflows/publish.ymlto enable npm trusted publishing via OIDC..github/workflows/publish.yml): Add job-level permissionsid-token: writeandcontents: readto enable npm trusted publishing via OIDC.Written by Cursor Bugbot for commit db5674a. This will update automatically on new commits. Configure here.