Skip to content

ci: migrate npm publishing to OIDC trusted publishing#38

Open
cryptotavares wants to merge 2 commits into
mainfrom
cryptotavares/upgrade-npm-trusted-publishing
Open

ci: migrate npm publishing to OIDC trusted publishing#38
cryptotavares wants to merge 2 commits into
mainfrom
cryptotavares/upgrade-npm-trusted-publishing

Conversation

@cryptotavares

Copy link
Copy Markdown
Collaborator

What is the current state of things and why does it need to change?

Core Platform is replacing long-lived NPM tokens with trusted publishing via OIDC and enabling staged publishing to harden the supply chain against the recent wave of NPM attacks. All MetaMask packages must publish through this flow.

Today @metamask/client-mcp-core publishes with:

  • MetaMask/action-npm-publish@v5 (token-based) in both the dry-run and publish jobs
  • no id-token: write permission, so no OIDC token can be minted
  • NPM_TOKEN marked required: true
  • packageManager: yarn@4.11.0, which is below the version @v6 expects

What is the solution your changes offer and how does it work?

Adopts OIDC trusted publishing by aligning the publish pipeline with the module-template reference:

  • Bump packageManager to yarn@4.16.0 (required by action-npm-publish@v6) and regenerate yarn.lock.
  • Upgrade MetaMask/action-npm-publish@v5@v6 in both the publish-npm-dry-run and publish-npm jobs.
  • Add permissions: { contents: read, id-token: write } to the publish-npm job, and id-token: write to the publish-release caller job in main.yml — for reusable workflows the OIDC token can only be minted when the caller also grants the permission.
  • Make the NPM_TOKEN secret optional (required: false); it is now only needed for the very first publish of the package and can be deleted from the npm-publish environment after the initial OIDC publish.

Once merged, trusted publishing must be configured for @metamask/client-mcp-core on the NPM side (via @metamask-npm-publishers) before the next release.

Links

Core Platform is replacing NPM tokens with trusted publishing via OIDC and enabling staged publishing to harden the supply chain.

- Bump packageManager to yarn@4.16.0 (required by action-npm-publish@v6) and regenerate the lockfile
- Upgrade MetaMask/action-npm-publish@v5 -> @v6 in both the dry-run and publish jobs
- Grant id-token: write on the publish-npm job and on the publish-release caller job so the OIDC token can be minted for the reusable workflow
- Make the NPM_TOKEN secret optional (required: false); it is now only needed for the initial package publish and can be deleted afterwards
@cryptotavares cryptotavares requested a review from a team as a code owner July 13, 2026 21:36
Comment thread .github/workflows/publish-release.yml Fixed
Comment thread .github/workflows/publish-release.yml Fixed
MetaMask's actionlint policy requires GitHub Actions to be pinned to a full commit SHA. Pin action-npm-publish@v6 to 18df42148c35aabb98e00f9fda127d421af141df (v6.5.0) with a # v6 version comment in both the dry-run and publish steps.
@@ -1,2 +1,2 @@
name: Publish Release

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow needs top-level permissions

Suggested change
permissions:
contents: read

name: publish-release-artifacts-${{ github.sha }}
- name: Dry Run Publish
uses: MetaMask/action-npm-publish@v5
uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to pin these. You can add a Zizmor config like the one in the module-template to remove these errors.

Comment thread package.json
"playwright": "^1.49.0"
},
"packageManager": "yarn@4.11.0",
"packageManager": "yarn@4.16.0",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a strict requirement but we recommend pinning this to a checksum:

Suggested change
"packageManager": "yarn@4.16.0",
"packageManager": "yarn@4.16.0+sha256.ba05224324578801b9cc98170d64aa50b9a36733b440fb0942306da3fbbdc7d1",

- name: Publish
uses: MetaMask/action-npm-publish@v5
uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6
with:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We added a dry-run option later. Not required now, but recommended. Will probably be required in the next major version.

Suggested change
with:
with:
dry-run: false

uses: MetaMask/action-npm-publish@v5
uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
dry-run: true
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants