ci(release): migrate publish to npm trusted publishing via OIDC#128
Merged
Conversation
The shared NPM_AUTH_TOKEN secret last rotated in 2022 has been auth-failing on every publish since 2025-11. As a result, versions 6.2.1, 6.2.2, 6.2.3, and 6.3.0 were bumped on master but never published to npm; the registry is stuck at 6.2.0. Rotating the classic token would put us back on the same time-bomb. Trusted Publishing replaces the long-lived secret with short-lived GitHub Actions OIDC tokens that npm exchanges for a publish credential at publish time. Nothing to rotate, nothing to leak, provenance attestations come for free. The single autopublish.yml is split into two workflows so only the publish step holds id-token: write -- narrowing the surface that could mint OIDC tokens if a workflow file or third-party action were compromised. bump.yml triggers on master push and pushes a version tag; publish.yml triggers on the tag push, runs npm test as a release gate, and publishes via OIDC. Note: requires the @jitsi/js-utils npm package to have a Trusted Publisher entry configured on npmjs.com pointing at this repo and publish.yml -- must be in place before merge.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #128 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 7 7
Lines 1870 1870
Branches 47 47
=========================================
Hits 1870 1870 Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
damencho
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NPM_AUTH_TOKEN(auth-failing since 2025-11) with npm Trusted Publishing via GitHub Actions OIDC. No long-lived secret, short-lived per-run credentials, automatic provenance attestations.autopublish.ymlintobump.yml(master push → version bump + tag) andpublish.yml(tag push → tests + publish). Onlypublish.ymlholdsid-token: write.npm testas a release gate insidepublish.yml.actions/checkoutv5 → v6.0.2 andactions/setup-nodev6.3.0 → v6.4.0 (latest minors in v6.x).npm install→npm ciin the publish path for deterministic installs.package-manager-cache: falseper the npm docs guidance ("never use caching in release builds").Why
Versions 6.2.1, 6.2.2, 6.2.3, and 6.3.0 were bumped on master but never published —
npm publishhas been failing with404 Not Found(npm's stand-in for "auth failed" on a scoped package) since 2025-11. The sharedNPM_AUTH_TOKENwas last rotated in July 2022 and is no longer valid. Rotating it again puts us right back on the same time-bomb.Required action before merge
A Trusted Publisher must be configured on npmjs.com for
@jitsi/js-utils:jitsijs-utilspublish.ymlWithout this,
publish.ymlwill fail at the OIDC token-exchange step.After merge
bump.yml→ bumps to next version, pushes tag.publish.yml→ runsnpm test, thennpm publishvia OIDC.npm view @jitsi/js-utils version(should leave6.2.0).gh secret delete NPM_AUTH_TOKEN --repo jitsi/js-utils.Test plan
bump.ymlpush the next version tagpublish.ymlrun on the tag, succeed atnpm testandnpm publishNPM_AUTH_TOKENsecret