Skip to content

ci(release): migrate publish to npm trusted publishing via OIDC#128

Merged
hristoterezov merged 1 commit into
masterfrom
ci/trusted-publishing
May 7, 2026
Merged

ci(release): migrate publish to npm trusted publishing via OIDC#128
hristoterezov merged 1 commit into
masterfrom
ci/trusted-publishing

Conversation

@hristoterezov

Copy link
Copy Markdown
Member

Summary

  • Replaces broken NPM_AUTH_TOKEN (auth-failing since 2025-11) with npm Trusted Publishing via GitHub Actions OIDC. No long-lived secret, short-lived per-run credentials, automatic provenance attestations.
  • Splits autopublish.yml into bump.yml (master push → version bump + tag) and publish.yml (tag push → tests + publish). Only publish.yml holds id-token: write.
  • Adds npm test as a release gate inside publish.yml.
  • Bumps actions/checkout v5 → v6.0.2 and actions/setup-node v6.3.0 → v6.4.0 (latest minors in v6.x).
  • Bumps Node 18 → 24 (Trusted Publishing requires npm ≥ 11.5.1, which ships with Node ≥ 22.14; 24 matches the npm docs example and is current).
  • Switches npm installnpm ci in the publish path for deterministic installs.
  • Adds package-manager-cache: false per the npm docs guidance ("never use caching in release builds").

Why

Versions 6.2.1, 6.2.2, 6.2.3, and 6.3.0 were bumped on master but never published — npm publish has been failing with 404 Not Found (npm's stand-in for "auth failed" on a scoped package) since 2025-11. The shared NPM_AUTH_TOKEN was last rotated in July 2022 and is no longer valid. Rotating it again puts us right back on the same time-bomb.

Required action before merge

A Trusted Publisher must be configured on npmjs.com for @jitsi/js-utils:

  • Organization or user: jitsi
  • Repository: js-utils
  • Workflow filename: publish.yml
  • Environment name: (leave blank)

Without this, publish.yml will fail at the OIDC token-exchange step.

After merge

  1. Master push triggers bump.yml → bumps to next version, pushes tag.
  2. Tag push triggers publish.yml → runs npm test, then npm publish via OIDC.
  3. Verify with npm view @jitsi/js-utils version (should leave 6.2.0).
  4. Delete the unused secret: gh secret delete NPM_AUTH_TOKEN --repo jitsi/js-utils.

Test plan

  • Configure Trusted Publisher on npmjs.com before merge
  • After merge, watch bump.yml push the next version tag
  • Watch publish.yml run on the tag, succeed at npm test and npm publish
  • Confirm new version on npm registry
  • Confirm Provenance section appears on the package page
  • Delete NPM_AUTH_TOKEN secret

The shared NPM_AUTH_TOKEN secret last rotated in 2022 has been
auth-failing on every publish since 2025-11. As a result, versions
6.2.1, 6.2.2, 6.2.3, and 6.3.0 were bumped on master but never
published to npm; the registry is stuck at 6.2.0.

Rotating the classic token would put us back on the same time-bomb.
Trusted Publishing replaces the long-lived secret with short-lived
GitHub Actions OIDC tokens that npm exchanges for a publish
credential at publish time. Nothing to rotate, nothing to leak,
provenance attestations come for free.

The single autopublish.yml is split into two workflows so only the
publish step holds id-token: write -- narrowing the surface that
could mint OIDC tokens if a workflow file or third-party action
were compromised. bump.yml triggers on master push and pushes a
version tag; publish.yml triggers on the tag push, runs npm test
as a release gate, and publishes via OIDC.

Note: requires the @jitsi/js-utils npm package to have a Trusted
Publisher entry configured on npmjs.com pointing at this repo and
publish.yml -- must be in place before merge.
@codecov

codecov Bot commented May 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (0823753) to head (f0259f2).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##            master      #128   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines         1870      1870           
  Branches        47        47           
=========================================
  Hits          1870      1870           

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0823753...f0259f2. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@hristoterezov hristoterezov merged commit 83efc05 into master May 7, 2026
6 checks passed
@hristoterezov hristoterezov deleted the ci/trusted-publishing branch May 7, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants