oicd

Author: marwie

.github/workflows/test.yml

@@ -30,7 +30,7 @@ jobs:
             id: publish
             run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --access-token "${{ secrets.NPM_TOKEN }}" --version+hash --tag github --version+tag --create-tag "test/" --llm-api-key "${{ secrets.LLM_API_KEY }}"
 
-          - name: Print output 
+          - name: Print output
             run: |
               echo "Package version: ${{ steps.publish.outputs.package-version }}"
 
@@ -42,3 +42,57 @@ jobs:
 
           - name: Just add a tag
             run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --access-token "${{ secrets.NPM_TOKEN }}" --tag github-2
+
+    # OIDC-based publishing (Trusted Publishing)
+    # NOTE: First publish of a package MUST use --access-token. OIDC only works for existing packages.
+    #
+    # To enable OIDC for this package:
+    # 1. Ensure the package exists on npmjs.com (publish once with --access-token)
+    # 2. Go to https://www.npmjs.com/package/publish-helper-test-package/access
+    # 3. Click "Settings" → "Trusted Publisher" → "GitHub Actions"
+    # 4. Configure: owner (needle-tools), repository (npm-publish-helper), workflow (test.yml)
+    publish-oidc:
+        runs-on: ubuntu-latest
+        timeout-minutes: 5
+        permissions:
+          contents: read
+          id-token: write  # Required for OIDC authentication
+        defaults:
+          run:
+            working-directory: ./
+
+        steps:
+          - uses: actions/checkout@v4
+
+          - name: Setup Node.js
+            uses: actions/setup-node@v4
+            with:
+              node-version: '22'  # npm >= 11.5 required for OIDC
+              # Note: Do NOT set registry-url here for OIDC - it creates .npmrc expecting NODE_AUTH_TOKEN
+              # which conflicts with OIDC. Let npm use its default registry.
+
+          - name: Check environment for OIDC
+            run: |
+              echo "=== Node/npm versions ==="
+              echo "npm version: $(npm --version)"
+              echo "node version: $(node --version)"
+              echo ""
+              echo "=== OIDC Environment Variables ==="
+              echo "GITHUB_ACTIONS: $GITHUB_ACTIONS"
+              echo "ACTIONS_ID_TOKEN_REQUEST_URL: ${ACTIONS_ID_TOKEN_REQUEST_URL:-(not set)}"
+              echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:+****(set)}"
+              echo ""
+              echo "=== npmrc contents (if any) ==="
+              cat ~/.npmrc 2>/dev/null || echo "(no ~/.npmrc)"
+              cat .npmrc 2>/dev/null || echo "(no ./.npmrc)"
+
+          - name: Install dependencies
+            run: npm install
+
+          - name: Run publish with OIDC
+            id: publish-oidc
+            run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --oidc --version+hash --tag oidc --version+tag
+
+          - name: Print output
+            run: |
+              echo "Package version: ${{ steps.publish-oidc.outputs.package-version }}"

bin/cli.js

@@ -68,6 +68,7 @@ program.command('publish', 'Publish npm package')
     .option("--create-tag", "Create a git tag. Default: null. Can be set to e.g. '--create-tag release/'", { required: false, validator: program.STRING })
     .option("--webhook <webhook>", "Webhook URL to send notifications", { required: false, validator: program.STRING })
     .option("--access-token <access-token>", "NPM access token", { required: false, validator: program.STRING })
+    .option("--oidc", "Use OIDC (OpenID Connect) for authentication instead of access tokens. Requires npm >= 11.5 and a trusted publisher configured on npmjs.com. Works with GitHub Actions and GitLab CI/CD.", { required: false, validator: program.BOOLEAN, default: false })
     .option("--dry-run", "Dry run mode, do not publish", { required: false, validator: program.BOOLEAN, default: false })
     .option("--override-name <name>", "Override package name", { required: false, validator: program.STRING })
     .option("--override-version <version>", "Override package version", { required: false, validator: program.STRING })
@@ -93,6 +94,7 @@ program.command('publish', 'Publish npm package')
 
             registry: registry,
             accessToken: options.accessToken?.toString() || null,
+            useOidc: options.oidc === true,
             useHashInVersion: options.versionHash === true, // default to false
             useTagInVersion: options.versionTag === true, // default to false
             createGitTag: options.createTag !== undefined, // default to false

src/publish.js

@@ -58,14 +58,31 @@ export async function publish(args) {
     logger.info(`Package: ${packageJson.name}@${packageJson.version}`);
     logger.info(`Build time: ${buildTime}`);
     logger.info(`Short SHA: ${shortSha}`);
-    logger.info(`Token: '${obfuscateToken(args.accessToken)}'`);
+    if (args.useOidc) {
+        logger.info(`Authentication: OIDC (Trusted Publishing)`);
+    } else {
+        logger.info(`Token: '${obfuscateToken(args.accessToken)}'`);
+    }
     logger.info(`Repository: ${repoUrl}`);
     logger.info(`Last commit message: ${commitMessage}`);
     logger.info(`Last commit author: ${commitAuthorWithEmail}`);
     logger.info(`Registry: ${args.registry || 'https://registry.npmjs.org/'}`);
 
-    if (!args.accessToken?.length) {
-        logger.warn(`No access token provided. Publishing to registry ${args.registry} may fail.`);
+    if (!args.useOidc && !args.accessToken?.length) {
+        logger.warn(`No access token provided and OIDC not enabled. Publishing to registry ${args.registry} may fail.`);
+    }
+    if (args.useOidc) {
+        logger.info(`OIDC authentication enabled. Ensure your CI/CD has id-token: write permissions and a trusted publisher is configured on npmjs.com.`);
+        // Check npm version for OIDC support
+        const npmVersionResult = tryExecSync('npm --version', { cwd: packageDirectory });
+        if (npmVersionResult.success) {
+            const npmVersion = npmVersionResult.output.trim();
+            const [major, minor] = npmVersion.split('.').map(Number);
+            logger.info(`npm version: ${npmVersion}`);
+            if (major < 11 || (major === 11 && minor < 5)) {
+                logger.warn(`⚠ npm version ${npmVersion} may not support OIDC. Version 11.5+ is recommended.`);
+            }
+        }
     }
 
     // Remove slahes from the end of the tag (this may happen if the tag is provided by github ref_name
@@ -126,7 +143,7 @@ export async function publish(args) {
         msg += `Commit URL: ${repoUrl}/commit/${shortSha}\n`;
         msg += `Build time: ${buildTime}\n`;
         msg += `Registry: ${args.registry}\n`;
-        msg += `Token: ${obfuscateToken(args.accessToken)}\n`;
+        msg += `Auth: ${args.useOidc ? 'OIDC (Trusted Publishing)' : obfuscateToken(args.accessToken)}\n`;
         msg += `Tag: ${args.tag || '-'}${args.useTagInVersion ? ' (version+tag)' : ''}${args.createGitTag ? ' (creating git tag)' : ''}\n`;
         msg += "```";
         await sendMessageToWebhook(webhook, msg, { logger });
@@ -197,13 +214,13 @@ export async function publish(args) {
     // Default env
     const env = {
         ...process.env,
-        NPM_TOKEN: args.accessToken || undefined,
+        NPM_TOKEN: args.useOidc ? undefined : (args.accessToken || undefined),
         NPM_CONFIG_REGISTRY: (args.registry || 'https://registry.npmjs.org/'),
     }
 
 
     // set config
-    {
+    if (!args.useOidc) {
         let registryUrlWithoutScheme = (args.registry || 'https://registry.npmjs.org/').replace(/https?:\/\//, '');
         if (!registryUrlWithoutScheme.endsWith('/')) registryUrlWithoutScheme += '/';
 
@@ -223,6 +240,34 @@ export async function publish(args) {
         //         env
         //     });
         // }
+    } else {
+        logger.info(`Skipping npm config auth token setup - using OIDC authentication`);
+
+        // Check for OIDC environment variables (GitHub Actions sets these)
+        const hasOidcEnv = !!(process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN);
+        if (hasOidcEnv) {
+            logger.info(`✓ GitHub Actions OIDC environment detected`);
+            logger.info(`  ACTIONS_ID_TOKEN_REQUEST_URL: ${process.env.ACTIONS_ID_TOKEN_REQUEST_URL ? '(set)' : '(not set)'}`);
+            logger.info(`  ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN ? '(set)' : '(not set)'}`);
+        } else {
+            logger.warn(`⚠ GitHub Actions OIDC environment variables not detected!`);
+            logger.warn(`  This may indicate:`);
+            logger.warn(`  - The workflow doesn't have 'id-token: write' permission`);
+            logger.warn(`  - Not running in GitHub Actions`);
+            logger.warn(`  - Running on a self-hosted runner without OIDC support`);
+        }
+
+        // Clear any existing auth tokens that might interfere with OIDC
+        // npm OIDC works best when there's no conflicting token configuration
+        let registryUrlWithoutScheme = (args.registry || 'https://registry.npmjs.org/').replace(/https?:\/\//, '');
+        if (!registryUrlWithoutScheme.endsWith('/')) registryUrlWithoutScheme += '/';
+        try {
+            const clearCmd = `npm config delete //${registryUrlWithoutScheme}:_authToken`;
+            logger.info(`Clearing any existing auth token for OIDC: ${clearCmd}`);
+            tryExecSync(clearCmd, { cwd: packageDirectory, env });
+        } catch {
+            // Ignore errors - token might not exist
+        }
     }
 
     const htmlUrl = args.registry?.includes("npmjs") ? `https://www.npmjs.com/package/${packageJson.name}/v/${packageJson.version}` : (args.registry + `/${packageJson.name}`);
@@ -257,7 +302,12 @@ export async function publish(args) {
                 logger.info(`Package view result ${packageVersionPublished}`);
 
 
-                let cmd = `npm publish --access public`
+                const registryUrl = args.registry || 'https://registry.npmjs.org/';
+                let cmd = `npm publish --access public --registry ${registryUrl}`
+                if (args.useOidc) {
+                    cmd += ' --provenance';
+                    logger.info(`OIDC authentication enabled, adding --provenance flag for trusted publishing.`);
+                }
                 if (dryRun) {
                     cmd += ' --dry-run';
                     logger.info(`Dry run mode enabled, not actually publishing package.`);
@@ -294,8 +344,84 @@ export async function publish(args) {
                 }
                 else {
                     logger.error(`❌ Failed to publish package ${packageJson.name}@${packageJson.version}\n${res.error}`);
+
+                    // Provide helpful OIDC troubleshooting information if OIDC was enabled
+                    if (args.useOidc) {
+                        const errorStr = res.error?.toString() || res.output?.toString() || '';
+                        const is404Error = errorStr.includes('404') || errorStr.includes('Not found') || errorStr.includes('Not Found');
+                        const is401Error = errorStr.includes('401') || errorStr.includes('Unauthorized');
+                        const is403Error = errorStr.includes('403') || errorStr.includes('Forbidden');
+                        const isNeedAuthError = errorStr.includes('ENEEDAUTH') || errorStr.includes('need auth') || errorStr.includes('You need to authorize');
+
+                        logger.error(`\n${'='.repeat(80)}`);
+                        logger.error(`OIDC TROUBLESHOOTING GUIDE`);
+                        logger.error(`${'='.repeat(80)}`);
+
+                        if (isNeedAuthError) {
+                            logger.error(`\n⚠️  ERROR: ENEEDAUTH - Authentication Required`);
+                            logger.error(`   npm is not detecting the OIDC environment. This usually means:\n`);
+                            logger.error(`   a) MISSING PERMISSIONS: Workflow needs 'id-token: write' permission`);
+                            logger.error(`      Add to your workflow:`);
+                            logger.error(`      permissions:`);
+                            logger.error(`        contents: read`);
+                            logger.error(`        id-token: write\n`);
+                            logger.error(`   b) NPM VERSION TOO OLD: OIDC requires npm >= 11.5`);
+                            logger.error(`      Update Node.js to v22+ or run: npm install -g npm@latest\n`);
+                            logger.error(`   c) NOT IN GITHUB ACTIONS: OIDC only works in supported CI environments`);
+                            logger.error(`      Currently supported: GitHub Actions, GitLab CI/CD\n`);
+                            logger.error(`   d) SELF-HOSTED RUNNER: OIDC requires cloud-hosted runners\n`);
+                            logger.error(`   Environment check:`);
+                            logger.error(`      ACTIONS_ID_TOKEN_REQUEST_URL: ${process.env.ACTIONS_ID_TOKEN_REQUEST_URL ? '✓ set' : '✗ NOT SET'}`);
+                            logger.error(`      ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN ? '✓ set' : '✗ NOT SET'}`);
+                            logger.error(`      GITHUB_ACTIONS: ${process.env.GITHUB_ACTIONS ? '✓ set' : '✗ NOT SET'}\n`);
+                        } else if (is404Error) {
+                            logger.error(`\n⚠️  ERROR: 404 Not Found`);
+                            logger.error(`   This usually means one of the following:\n`);
+                            logger.error(`   a) FIRST-TIME PUBLISH: The package doesn't exist on npmjs.com yet.`);
+                            logger.error(`      → First publish MUST be done with a token: --access-token <token>`);
+                            logger.error(`      → After first publish, configure trusted publisher, then use --oidc\n`);
+                            logger.error(`   b) TRUSTED PUBLISHER NOT CONFIGURED for this package.`);
+                            logger.error(`      → Go to: https://www.npmjs.com/package/${packageJson.name}/access`);
+                            logger.error(`      → Click "Settings" → "Trusted Publisher" → "GitHub Actions"`);
+                            logger.error(`      → Configure: organization/user, repository, workflow filename\n`);
+                            logger.error(`   c) WORKFLOW FILENAME MISMATCH`);
+                            logger.error(`      → The workflow filename on npmjs.com must EXACTLY match your .yml file`);
+                            logger.error(`      → Check for typos, case sensitivity, and path differences\n`);
+                        } else if (is401Error) {
+                            logger.error(`\n⚠️  ERROR: 401 Unauthorized`);
+                            logger.error(`   The OIDC token was not accepted. Check:\n`);
+                            logger.error(`   a) GitHub Actions must have 'id-token: write' permission`);
+                            logger.error(`   b) Trusted publisher must be configured on npmjs.com`);
+                            logger.error(`   c) npm version must be >= 11.5\n`);
+                        } else if (is403Error) {
+                            logger.error(`\n⚠️  ERROR: 403 Forbidden`);
+                            logger.error(`   Access denied. Check:\n`);
+                            logger.error(`   a) You have publish permissions for this package`);
+                            logger.error(`   b) Trusted publisher configuration matches your workflow exactly`);
+                            logger.error(`   c) Repository owner/name matches the trusted publisher config\n`);
+                        } else {
+                            logger.error(`\nOIDC authentication failed. Please check the following:\n`);
+                        }
+
+                        logger.error(`CHECKLIST:`);
+                        logger.error(`  □ Package exists on npmjs.com (first publish requires --access-token)`);
+                        logger.error(`  □ Trusted publisher configured: https://www.npmjs.com/package/${packageJson.name}/access`);
+                        logger.error(`  □ Workflow has 'id-token: write' permission`);
+                        logger.error(`  □ npm version >= 11.5 (current: run 'npm --version' to check)`);
+                        logger.error(`  □ Using cloud-hosted runner (not self-hosted)`);
+                        logger.error(`  □ Workflow filename matches exactly (case-sensitive)\n`);
+                        logger.error(`DOCUMENTATION:`);
+                        logger.error(`  → npm Trusted Publishing: https://docs.npmjs.com/trusted-publishers/`);
+                        logger.error(`  → npm Provenance: https://docs.npmjs.com/generating-provenance-statements/`);
+                        logger.error(`${'='.repeat(80)}\n`);
+                    }
+
                     if (webhook) {
-                        await sendMessageToWebhookWithCodeblock(webhook, `❌ **Failed to publish package** \`${packageJson.name}@${packageJson.version}\`:`, res.error, { logger });
+                        let errorMsg = `❌ **Failed to publish package** \`${packageJson.name}@${packageJson.version}\`:`;
+                        if (args.useOidc) {
+                            errorMsg += `\n⚠️ OIDC was enabled. See logs for troubleshooting guide or visit: https://docs.npmjs.com/trusted-publishers/`;
+                        }
+                        await sendMessageToWebhookWithCodeblock(webhook, errorMsg, res.error, { logger });
                     }
                     throw new Error(`Failed to publish package ${packageJson.name}@${packageJson.version}: ${res.error}`);
                 }

types/index.d.ts

@@ -29,6 +29,13 @@ export type PublishOptions = {
 
     registry: string;
     accessToken: string | null | undefined;
+    /**
+     * Use OIDC (OpenID Connect) for authentication instead of access tokens.
+     * Requires npm >= 11.5 and a trusted publisher configured on npmjs.com.
+     * When enabled, the npm CLI will use the CI/CD provider's identity token.
+     * Currently supported in GitHub Actions and GitLab CI/CD.
+     */
+    useOidc: boolean;
     tag: string | null | undefined;
     setLatestTag: boolean | undefined;
     useHashInVersion: boolean;