Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

feat: enable npm Trusted Publishers #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicknisi merged 1 commit into from
Dec 19, 2025
Merged

feat: enable npm Trusted Publishers #15

nicknisi merged 1 commit into from
Dec 19, 2025

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Dec 19, 2025

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

  • Update Node version to 24 (required for npm 11+)
  • Add id-token: write permission for OIDC authentication
  • Add --provenance flag to publish commands
  • Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

  • More secure authentication using OIDC
  • Cryptographic provenance for published packages
  • No need to manage NPM_TOKEN secrets

@greptile-apps
Copy link

greptile-apps bot commented Dec 19, 2025

Greptile Summary

This PR successfully migrates the npm publishing workflow from token-based authentication to npm Trusted Publishers using OIDC, providing enhanced security and cryptographic provenance for published packages.

Key Changes:

  • Upgraded Node.js to version 24 (required for npm 11+ which supports Trusted Publishers)
  • Added id-token: write permission to enable OIDC token generation for GitHub Actions
  • Added --provenance flag to publish commands for cryptographic proof of package origin
  • Removed NODE_AUTH_TOKEN environment variable and NPM_TOKEN secret dependency

Security Improvements:

  • Eliminates need for long-lived npm tokens stored as GitHub secrets
  • Uses short-lived OIDC tokens for authentication
  • Provides cryptographic provenance linking published packages to source code and build process
  • Reduces attack surface by removing manual token management

Confidence Score: 5/5

  • This PR is safe to merge with no risk - the changes follow npm Trusted Publishers best practices correctly
  • The implementation correctly follows npm Trusted Publishers specification with proper OIDC permissions, appropriate Node version upgrade, and correct provenance flags. All changes are additive security improvements with no breaking changes or security concerns.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Migrated to npm Trusted Publishers with OIDC authentication, Node 24 upgrade, and provenance support

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant OIDC as GitHub OIDC Provider
    participant npm as npm Registry
    participant Pkg as Published Package
    
    Note over GHA,npm: Release triggered (manual or release event)
    
    GHA->>GHA: Checkout code
    GHA->>GHA: Setup Node 24 & pnpm 10
    GHA->>GHA: Install dependencies
    GHA->>GHA: Build project
    
    Note over GHA,OIDC: OIDC Authentication Flow
    GHA->>OIDC: Request OIDC token<br/>(id-token: write permission)
    OIDC->>GHA: Return signed JWT token
    
    Note over GHA,npm: Trusted Publishers Authentication
    GHA->>npm: Publish with --provenance flag<br/>(includes OIDC token)
    npm->>npm: Verify OIDC token signature
    npm->>npm: Check Trusted Publishers config
    npm->>npm: Validate repository/workflow
    
    npm->>Pkg: Publish package with provenance
    npm->>GHA: Success response
    
    Note over Pkg: Package includes cryptographic<br/>proof of origin
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 19, 2025
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@nicknisi nicknisi force-pushed the nicknisi/trusted-publisher branch from 4381f38 to 7ad9a77 Compare December 19, 2025 16:19
@nicknisi nicknisi merged commit 8de8cc4 into main Dec 19, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gcarvelli gcarvelli gcarvelli approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicknisi @gcarvelli
Morty Proxy This is a proxified and sanitized view of the page, visit original site.