chore(ci): switch publish to OIDC trusted publishing#1838
Open
felixweinberger wants to merge 1 commit intomainfrom
Open
chore(ci): switch publish to OIDC trusted publishing#1838felixweinberger wants to merge 1 commit intomainfrom
felixweinberger wants to merge 1 commit intomainfrom
Conversation
Drops NPM_TOKEN/NODE_AUTH_TOKEN from the publish job. npm CLI auto-detects GitHub Actions OIDC (id-token: write was already present from #1836) and exchanges for a short-lived publish credential. Also drops registry-url from setup-node — it writes a .npmrc expecting NODE_AUTH_TOKEN, which short-circuits before OIDC kicks in. npm defaults to npmjs.org without it. Requires trusted publishers configured per-package on npmjs.com: client/server/express/hono/node/fastify → workflow release.yml, environment release.
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Drops
NPM_TOKEN/NODE_AUTH_TOKENfromrelease.yml's publish job. npm CLI auto-detects GitHub Actions OIDC and exchanges for a short-lived publish credential — no long-lived secret to rotate.Motivation and Context
Trusted publishing is npm's recommended path and what the token-creation UI itself nudges toward.
id-token: writewas already added in #1836 for provenance — the workflow is OIDC-ready. This just removes the token plumbing.Also drops
registry-urlfromsetup-node— it writes a.npmrccontaining${NODE_AUTH_TOKEN}, which interferes with OIDC auto-detect when the env var is empty. npm defaults toregistry.npmjs.orgwithout it.How Has This Been Tested?
Workflow YAML only. The publish path can't be tested without merging.
Breaking Changes
None.
Types of changes
Checklist
Additional context
After this merges, the
NPM_TOKENsecret in thereleaseenvironment can be deleted entirely.