Merge pull request #36 from iamriajul/fix/npm-oidc-publishing

iamriajul · web-flow · commit fd17af103346 · 2026-04-22T10:30:03.000+06:00
ci: use npm trusted publishing
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -10,20 +10,16 @@ on:
         description: "Existing release tag or ref to publish from (for example v1.2.3-20260408120000)"
         required: true
         type: string
-      npm_tag:
-        description: "npm dist-tag to publish under"
-        required: false
-        default: "latest"
-        type: string
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     env:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      NPM_PUBLISH_AUTH: oidc
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
       R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
       R2_ENDPOINT: ${{ vars.R2_ENDPOINT }}
@@ -43,9 +39,13 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Update npm for trusted publishing
+        shell: bash
+        run: npm install -g npm@latest
+
       - name: Set up Rust
         uses: dtolnay/rust-toolchain@stable
 
@@ -86,7 +86,6 @@ jobs:
 
           if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
             raw_ref="${{ inputs.git_ref }}"
-            npm_tag="${{ inputs.npm_tag }}"
           else
             raw_ref="${GITHUB_REF_NAME}"
           fi
@@ -101,9 +100,7 @@ jobs:
 
           version="${ref_name#v}"
 
-          if [ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]; then
-            npm_tag="latest"
-          fi
+          npm_tag="latest"
 
           if [ -z "$version" ]; then
             echo "Release version is empty"
diff --git a/AGENTS.md b/AGENTS.md
@@ -120,6 +120,8 @@ Nightly release automation expects repository secrets:
 - `NIGHTLY_RELEASE_PUSH_TOKEN`: PAT/fine-grained token with `contents:write` to push commits + tags (tag pushes trigger release workflows)
 - `DISCORD_WEBHOOK_URL`: Discord webhook used for patch-failure alerts
 
+NPM release automation uses npm trusted publishing / OIDC for `.github/workflows/publish-npm.yml`; no `NPM_TOKEN` is required in Actions. `scripts/publish-npm.sh` still supports `NPM_PUBLISH_AUTH=token` for local fallback.
+
 **Gitignore** (do not modify): `values-production.yaml`, `*-secrets.yaml`, `*-secret.yaml`, `.env*`
 
 ## Commit Conventions
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -120,6 +120,8 @@ Nightly release automation expects repository secrets:
 - `NIGHTLY_RELEASE_PUSH_TOKEN`: PAT/fine-grained token with `contents:write` to push commits + tags (tag pushes trigger release workflows)
 - `DISCORD_WEBHOOK_URL`: Discord webhook used for patch-failure alerts
 
+NPM release automation uses npm trusted publishing / OIDC for `.github/workflows/publish-npm.yml`; no `NPM_TOKEN` is required in Actions. `scripts/publish-npm.sh` still supports `NPM_PUBLISH_AUTH=token` for local fallback.
+
 **Gitignore** (do not modify): `values-production.yaml`, `*-secrets.yaml`, `*-secret.yaml`, `.env*`
 
 ## Commit Conventions
diff --git a/RELEASE.md b/RELEASE.md
@@ -35,14 +35,15 @@ Artifacts:
 - automatic tag publishes use the npm `latest` dist-tag
 
 Required secrets and variables:
-- `NPM_TOKEN`
 - `R2_ACCESS_KEY_ID`
 - `R2_SECRET_ACCESS_KEY`
 - `R2_ENDPOINT`
 - `R2_BUCKET`
 - `R2_PUBLIC_URL`
 - `VITE_PUBLIC_REACT_VIRTUOSO_LICENSE_KEY`
 
+NPM publishes through trusted publishing / OIDC in GitHub Actions. `scripts/publish-npm.sh` still supports `NPM_PUBLISH_AUTH=token` with `NPM_TOKEN` for local fallback.
+
 ## Manual Flow
 
 1. Update the tracked upstream ref with `scripts/update-vibe-kanban.sh`.
diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
@@ -301,7 +301,30 @@ require_cmd rustc
 require_cmd zip
 require_cmd aws
 
-require_env NPM_TOKEN
+NPM_PUBLISH_AUTH="${NPM_PUBLISH_AUTH:-}"
+if [ -z "${NPM_PUBLISH_AUTH}" ]; then
+  if [ -n "${NPM_TOKEN:-}" ]; then
+    NPM_PUBLISH_AUTH="token"
+  else
+    NPM_PUBLISH_AUTH="oidc"
+  fi
+fi
+
+case "${NPM_PUBLISH_AUTH}" in
+  token)
+    require_env NPM_TOKEN
+    ;;
+  oidc)
+    if [ "${GITHUB_ACTIONS:-}" = "true" ] &&
+       { [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; }; then
+      die "NPM_PUBLISH_AUTH=oidc requires GitHub Actions id-token: write permission"
+    fi
+    ;;
+  *)
+    die "NPM_PUBLISH_AUTH must be 'oidc' or 'token'"
+    ;;
+esac
+
 require_env R2_ACCESS_KEY_ID
 require_env R2_SECRET_ACCESS_KEY
 require_env R2_ENDPOINT
@@ -376,9 +399,9 @@ ${NODE_CMD} -e "
   const pkg = JSON.parse(fs.readFileSync(path, 'utf8'));
   pkg.name = 'vibe-kanban-team';
   pkg.version = '${VERSION}';
-  pkg.publishConfig = { access: 'public' };
+  pkg.publishConfig = { access: 'public', registry: 'https://registry.npmjs.org' };
   pkg.author = 'iamriajul';
-  pkg.repository = { type: 'git', url: 'https://github.com/iamriajul/vibe-kanban-team' };
+  pkg.repository = { type: 'git', url: 'git+https://github.com/iamriajul/vibe-kanban-team.git' };
   fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + '\\n');
 "
 
@@ -641,15 +664,27 @@ echo "Removing local dist artifacts before npm publish..."
 rm -rf "${VIBE_DIR}/npx-cli/dist"
 
 echo "Publishing to npm..."
-NPMRC_BAK="${TMP_DIR}/.npmrc"
-umask 077
-printf "//registry.npmjs.org/:_authToken=%s\n" "${NPM_TOKEN}" > "${NPMRC_BAK}"
+NPM_ARGS=()
+
+if [ "${NPM_PUBLISH_AUTH}" = "token" ]; then
+  NPMRC_BAK="${TMP_DIR}/.npmrc"
+  umask 077
+  printf "//registry.npmjs.org/:_authToken=%s\n" "${NPM_TOKEN}" > "${NPMRC_BAK}"
+  NPM_ARGS=(--userconfig "${NPMRC_BAK}")
+else
+  echo "Using npm trusted publishing (OIDC)."
+  # setup-node writes a token-based .npmrc when registry-url is configured.
+  # In OIDC mode, keep npm from falling back to stale token auth.
+  unset NODE_AUTH_TOKEN
+  unset NPM_CONFIG_USERCONFIG
+  unset npm_config_userconfig
+fi
 
-if (cd "${VIBE_DIR}/npx-cli" && npm --userconfig "${NPMRC_BAK}" view "vibe-kanban-team@${VERSION}" version >/dev/null 2>&1); then
+if (cd "${VIBE_DIR}/npx-cli" && npm "${NPM_ARGS[@]}" view "vibe-kanban-team@${VERSION}" version >/dev/null 2>&1); then
   echo "npm version ${VERSION} already exists; skipping publish."
 else
   echo "Publishing to npm with dist-tag: ${NPM_TAG}"
-  (cd "${VIBE_DIR}/npx-cli" && npm --userconfig "${NPMRC_BAK}" publish --ignore-scripts --access public --tag "${NPM_TAG}")
+  (cd "${VIBE_DIR}/npx-cli" && npm "${NPM_ARGS[@]}" publish --ignore-scripts --access public --tag "${NPM_TAG}")
 fi
 
 echo "Publish complete."
