ci: migrate npm publishing to OIDC trusted publishing#38
Open
cryptotavares wants to merge 2 commits into
Open
Conversation
Core Platform is replacing NPM tokens with trusted publishing via OIDC and enabling staged publishing to harden the supply chain. - Bump packageManager to yarn@4.16.0 (required by action-npm-publish@v6) and regenerate the lockfile - Upgrade MetaMask/action-npm-publish@v5 -> @v6 in both the dry-run and publish jobs - Grant id-token: write on the publish-npm job and on the publish-release caller job so the OIDC token can be minted for the reusable workflow - Make the NPM_TOKEN secret optional (required: false); it is now only needed for the initial package publish and can be deleted afterwards
MetaMask's actionlint policy requires GitHub Actions to be pinned to a full commit SHA. Pin action-npm-publish@v6 to 18df42148c35aabb98e00f9fda127d421af141df (v6.5.0) with a # v6 version comment in both the dry-run and publish steps.
Mrtenz
reviewed
Jul 14, 2026
| @@ -1,2 +1,2 @@ | |||
| name: Publish Release | |||
|
|
|||
Member
There was a problem hiding this comment.
This workflow needs top-level permissions
Suggested change
| permissions: | |
| contents: read | |
| name: publish-release-artifacts-${{ github.sha }} | ||
| - name: Dry Run Publish | ||
| uses: MetaMask/action-npm-publish@v5 | ||
| uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6 |
Member
There was a problem hiding this comment.
No need to pin these. You can add a Zizmor config like the one in the module-template to remove these errors.
| "playwright": "^1.49.0" | ||
| }, | ||
| "packageManager": "yarn@4.11.0", | ||
| "packageManager": "yarn@4.16.0", |
Member
There was a problem hiding this comment.
Not a strict requirement but we recommend pinning this to a checksum:
Suggested change
| "packageManager": "yarn@4.16.0", | |
| "packageManager": "yarn@4.16.0+sha256.ba05224324578801b9cc98170d64aa50b9a36733b440fb0942306da3fbbdc7d1", |
| - name: Publish | ||
| uses: MetaMask/action-npm-publish@v5 | ||
| uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6 | ||
| with: |
Member
There was a problem hiding this comment.
We added a dry-run option later. Not required now, but recommended. Will probably be required in the next major version.
Suggested change
| with: | |
| with: | |
| dry-run: false |
| uses: MetaMask/action-npm-publish@v5 | ||
| uses: MetaMask/action-npm-publish@18df42148c35aabb98e00f9fda127d421af141df # v6 | ||
| with: | ||
| slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} |
Member
There was a problem hiding this comment.
Suggested change
| slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| dry-run: true | |
| slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the current state of things and why does it need to change?
Core Platform is replacing long-lived NPM tokens with trusted publishing via OIDC and enabling staged publishing to harden the supply chain against the recent wave of NPM attacks. All MetaMask packages must publish through this flow.
Today
@metamask/client-mcp-corepublishes with:MetaMask/action-npm-publish@v5(token-based) in both the dry-run and publish jobsid-token: writepermission, so no OIDC token can be mintedNPM_TOKENmarkedrequired: truepackageManager: yarn@4.11.0, which is below the version@v6expectsWhat is the solution your changes offer and how does it work?
Adopts OIDC trusted publishing by aligning the publish pipeline with the module-template reference:
packageManagertoyarn@4.16.0(required byaction-npm-publish@v6) and regenerateyarn.lock.MetaMask/action-npm-publish@v5→@v6in both thepublish-npm-dry-runandpublish-npmjobs.permissions: { contents: read, id-token: write }to thepublish-npmjob, andid-token: writeto thepublish-releasecaller job inmain.yml— for reusable workflows the OIDC token can only be minted when the caller also grants the permission.NPM_TOKENsecret optional (required: false); it is now only needed for the very first publish of the package and can be deleted from thenpm-publishenvironment after the initial OIDC publish.Once merged, trusted publishing must be configured for
@metamask/client-mcp-coreon the NPM side (via @metamask-npm-publishers) before the next release.Links