Skip to content

ci(publish): use npm OIDC #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pdesoyres-cc merged 4 commits into from
Nov 13, 2025
Merged

ci(publish): use npm OIDC #176

pdesoyres-cc merged 4 commits into from
Nov 13, 2025

Conversation

@pdesoyres-cc
Copy link
Contributor

@pdesoyres-cc pdesoyres-cc commented Oct 15, 2025
edited
Loading

What this PR do?

This PR uses the new mechanism introduced by NPM for secured publishing: https://docs.npmjs.com/trusted-publishers

  • delete the GitHub action secret storing the NPM token
  • delete the NPM token (in npm.js)
  • remove token from vault

How to review

  • check that the commit corresponds to the NPM documentation
  • Next release will tell use if it works fine

@pdesoyres-cc pdesoyres-cc self-assigned this Oct 15, 2025
florian-sanders-cc
florian-sanders-cc approved these changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@florian-sanders-cc florian-sanders-cc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh well, I didn't think it was that straightforward, great job, thanks for that 🙌

Galimede
Galimede approved these changes Oct 28, 2025
View reviewed changes
Copy link
Member

@Galimede Galimede left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for handling this, I didn't think it was that simple. 🤯

hsablonniere
hsablonniere approved these changes Oct 30, 2025
View reviewed changes
Copy link
Member

@hsablonniere hsablonniere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, same here, I didn't expect something that simple, so nice. Looking forward to use it on our other projects 👏

@hsablonniere hsablonniere mentioned this pull request Nov 12, 2025
Closed
hsablonniere added a commit to CleverCloud/clever-tools that referenced this pull request Nov 12, 2025
@hsablonniere
ci(publish): migrate to npm trusted publishing with OIDC
5b2bb54 
Migrate npm publishing to use OIDC-based trusted publishing instead of
static tokens, as npm classic tokens will be permanently revoked on
November 19, 2025.

Changes:
- Add top-level OIDC permissions (id-token: write, contents: read)
- Add job-level OIDC permissions to publish-npm job
- Remove NPM_TOKEN secret usage and NODE_AUTH_TOKEN environment variable
- Add --provenance flag to npm publish for package transparency

Reference: https://docs.npmjs.com/trusted-publishers/
Implementation based on: CleverCloud/clever-client.js#176

Closes #991
@hsablonniere hsablonniere mentioned this pull request Nov 12, 2025
Merged
@pdesoyres-cc pdesoyres-cc merged commit 94bdbc0 into master Nov 13, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hsablonniere hsablonniere hsablonniere approved these changes

@Galimede Galimede Galimede approved these changes

@florian-sanders-cc florian-sanders-cc florian-sanders-cc approved these changes

Assignees

@pdesoyres-cc pdesoyres-cc

Labels

ci/cd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pdesoyres-cc @hsablonniere @Galimede @florian-sanders-cc