[Enhancement] Switching NPM publishing for repos from classic tokens to trusted publisher

Hi All,

Seems like we need to take note on switching npm tokens from classic to granular tokens,
which needs to be rotated every 90 days now, or trusted publisher just like PyPI.

Libs code here: 
https://github.com/opensearch-project/opensearch-build-libraries/blob/bd435917ca81dd1f63724d687be81e0851df3088/vars/publishToNpm.groovy#L23-L33

Related repos (might have more repos):
* https://github.com/opensearch-project/opensearch-js/blob/9b40aedd2c36c32fdc160649535c6fa4be952825/jenkins/release.JenkinsFile#L10
* https://github.com/opensearch-project/opensearch-cluster-cdk/blob/57ef535d8f455bd9e236082d3bf675d294927d4f/jenkins/release.jenkinsFile#L11
* https://github.com/opensearch-project/oui/blob/fd97744bff080df3f8b8488a0fcc0a7105bcd4a4/jenkins/release.JenkinsFile#L11
* https://github.com/opensearch-project/reporting-cli/blob/e5bc728b8e4c33ff2a3469cea09b2596a6e94a25/jenkins/release.JenkinsFile#L12

Related links:
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
https://github.com/orgs/community/discussions/174507
https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/

Thanks,
Peter


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Enhancement] Switching NPM publishing for repos from classic tokens to trusted publisher #5773

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Enhancement] Switching NPM publishing for repos from classic tokens to trusted publisher #5773

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions