Skip to content

fix(release): upgrade npm for OIDC trusted publishing auth#57

Merged
iamladi merged 1 commit intomainfrom
fix/npm-oidc-publish
Apr 2, 2026
Merged

fix(release): upgrade npm for OIDC trusted publishing auth#57
iamladi merged 1 commit intomainfrom
fix/npm-oidc-publish

Conversation

@iamladi
Copy link
Copy Markdown
Owner

@iamladi iamladi commented Apr 2, 2026

Summary

Follow-up to #56. The .npmrc removal and registry-url addition were necessary but insufficient — npm 10.x (Node 22) does not support OIDC publish authentication, only provenance signing.

  • Add npm install -g npm@latest step to upgrade to npm 11.5.1+ which supports the full OIDC trusted publishing flow

Root Cause

npm 10.x can sign provenance via OIDC (Sigstore) but cannot authenticate the PUT request via OIDC. The registry returns E404 because the publish is effectively unauthenticated. npm 11.5.1+ adds native OIDC auth exchange with the npm registry.

Test plan

  • Merge and verify release workflow publishes successfully
  • Confirm npm --version in CI logs shows 11.x+

@iamladi
fix(release): upgrade npm for OIDC trusted publishing auth
7e99d3f 
npm 10.x (Node 22) supports provenance signing via OIDC but not
publish authentication. The registry OIDC auth exchange requires
npm 11.5.1+. Upgrading npm in CI enables the full trusted publishing
flow without an NPM_TOKEN.
@iamladi iamladi merged commit 2b999b6 into main Apr 2, 2026
4 checks passed
@iamladi iamladi deleted the fix/npm-oidc-publish branch April 2, 2026 11:32
This was referenced Apr 2, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iamladi