Skip to content

fix: enable npm OIDC trusted publishing#1042

Merged
sarahdayan merged 3 commits into
mainfrom
fix/npm-oidc-version
Feb 5, 2026
Merged

fix: enable npm OIDC trusted publishing#1042
sarahdayan merged 3 commits into
mainfrom
fix/npm-oidc-version

Conversation

@sarahdayan

@sarahdayan sarahdayan commented Feb 5, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Fixes the ENEEDAUTH error when publishing with useOidcTokenProvider: true.

Problem

The release workflow failed with:

npm error code ENEEDAUTH
npm error need auth This command requires you to be logged in to https://registry.npmjs.org/

This happened because npm OIDC trusted publishing has two requirements that weren't being met:

  1. npm CLI v11.5.1+ is required for OIDC authentication. Node 20 bundles npm 10, which doesn't support trusted publishing.

  2. The --provenance flag is needed by some users for OIDC publishing to work, even though npm docs say it should be automatic.

Solution

  1. Workflow change: Add npm install -g npm@latest step before publishing to upgrade to npm 11.5+

  2. Ship.js change: Add --provenance flag to npm publish command when useOidcTokenProvider is enabled

References

sarahdayan and others added 3 commits February 5, 2026 11:29
@sarahdayan @claude
fix: upgrade npm for OIDC trusted publishing support
99c3ac7 
npm OIDC trusted publishing requires npm v11.5+, but Node 20 bundles
npm 10. This adds an npm upgrade step before publishing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sarahdayan @claude
fix: add --provenance flag when using OIDC publishing
04a3c7c 
Some npm registries require the --provenance flag even with OIDC
trusted publishing. Pass useOidcTokenProvider to getPublishCommand
and add the flag when enabled.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sarahdayan @claude
docs: add npm version requirement for OIDC publishing
00c4d4c 
OIDC trusted publishing requires npm v11.5.1 or later.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sarahdayan sarahdayan requested review from a team, FabienMotte and aymeric-giraudet and removed request for a team February 5, 2026 10:41
@sarahdayan sarahdayan mentioned this pull request Feb 5, 2026
Merged
@sarahdayan sarahdayan requested a review from Haroenv February 5, 2026 10:58
@sarahdayan sarahdayan merged commit 70b8b80 into main Feb 5, 2026
7 checks passed
@sarahdayan sarahdayan deleted the fix/npm-oidc-version branch February 5, 2026 11:27
@dhayab dhayab mentioned this pull request Jun 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FabienMotte FabienMotte FabienMotte approved these changes

@aymeric-giraudet aymeric-giraudet Awaiting requested review from aymeric-giraudet aymeric-giraudet was automatically assigned from algolia/frontend-experiences-web

@Haroenv Haroenv Awaiting requested review from Haroenv

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sarahdayan @FabienMotte