Skip to content

fix: use npm OIDC trusted publishing instead of token auth#6

Merged
jim80net merged 2 commits intomainfrom
fix/npm-publish-token
Mar 15, 2026
Merged

fix: use npm OIDC trusted publishing instead of token auth#6
jim80net merged 2 commits intomainfrom
fix/npm-publish-token

Conversation

@jim80net
Copy link
Owner

@jim80net jim80net commented Mar 15, 2026
edited
Loading

Summary

  • Upgrade npm to latest before publish (runners ship 10.9.4, OIDC needs >= 11.5.1)
  • Remove NPM_TOKEN secret — OIDC handles authentication via id-token: write
  • Remove --provenance flag — automatic with trusted publishing

Problem

npm publish failed with E404 because the runner's npm (10.9.4) doesn't support OIDC trusted publishing. It fell back to NODE_AUTH_TOKEN which was a placeholder, not a real npm token.

npm trusted publishing (GA since July 2025) eliminates the need for long-lived npm tokens entirely. The npm CLI exchanges a GitHub OIDC token for a short-lived publish token, but this requires npm >= 11.5.1 — especially for scoped packages (npm/cli#8678).

Setup required on npmjs.com

Go to the @jim80net/memex-core package settings > Trusted Publishers > Add GitHub Actions:

  • Owner: jim80net
  • Repository: memex-core
  • Workflow filename: release-please.yml
  • Environment: npm

Test plan

  • Configure trusted publisher on npmjs.com (see above)
  • Merge and trigger a release — verify publish succeeds without any npm token

References

🤖 Generated with Claude Code

@jim80net @claude
fix: add NPM_TOKEN for npm publish authentication
6b7ba38 
actions/setup-node creates the .npmrc referencing NODE_AUTH_TOKEN but
does not provide the token value itself. The --provenance flag uses
OIDC for attestation signing only, not for registry authentication.
Without a valid token, npm publish returns 404 on the scoped package.

Requires an NPM_TOKEN repo secret with a granular access token that
has publish permission to the @jim80net scope.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Copy link

claude bot commented Mar 15, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@jim80net @claude
fix: use npm OIDC trusted publishing instead of token auth
dee6e5e 
GitHub-hosted runners ship npm 10.9.4 (with Node 22) which lacks OIDC
trusted publishing support. npm >= 11.5.1 is required for OIDC token
exchange, especially for scoped packages (npm/cli#8678).

Changes:
- Upgrade npm to latest before publish (for OIDC support)
- Remove NPM_TOKEN secret — OIDC handles authentication
- Remove --provenance flag — automatic with trusted publishing

Requires configuring the trusted publisher on npmjs.com:
  Package Settings > Trusted Publishers > Add GitHub Actions
  (org: jim80net, repo: memex-core, workflow: release-please.yml,
   environment: npm)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jim80net jim80net changed the title fix: add NPM_TOKEN for npm publish authentication fix: use npm OIDC trusted publishing instead of token auth Mar 15, 2026
@jim80net jim80net merged commit 4b6d379 into main Mar 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jim80net