Skip to content

ci: manually exchange OIDC token for npm dist-tag auth#1010

Closed
christso wants to merge 1 commit intomainfrom
ci/oidc-trusted-publishing
Closed

ci: manually exchange OIDC token for npm dist-tag auth#1010
christso wants to merge 1 commit intomainfrom
ci/oidc-trusted-publishing

Conversation

@christso
Copy link
Copy Markdown
Collaborator

@christso christso commented Apr 9, 2026

npm dist-tag doesn't support --provenance, so it can't use the automatic OIDC exchange. This manually:

  1. Requests a GitHub OIDC token with npm:registry.npmjs.org audience
  2. Exchanges it for a short-lived npm token via /-/npm/v1/oidc/token/exchange/package/...
  3. Writes the token to ~/.npmrc before running promote:latest

No web UI changes or stored secrets needed.

🤖 Generated with Claude Code

@christso @claude
ci: manually exchange OIDC token for npm dist-tag auth
fd74954 
npm dist-tag doesn't support --provenance, so manually exchange the
GitHub OIDC token for a short-lived npm token via the registry API
before running promote:latest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 9, 2026

Deploying agentv with  Cloudflare Pages  Cloudflare Pages

Latest commit: fd74954
Status: ✅  Deploy successful!
Preview URL: https://13a1f969.agentv.pages.dev
Branch Preview URL: https://ci-oidc-trusted-publishing.agentv.pages.dev

View logs

@christso
Copy link
Copy Markdown
Collaborator Author

christso commented Apr 9, 2026

Closing in favour of a cleaner approach: finalize release type + publish-latest action, avoiding dist-tag entirely.

@christso christso closed this Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christso