feat: allow publishing via OIDC authentication (#2)

CountBleck · web-flow · commit b1899c867206 · 2026-03-09T07:17:27.000-07:00
This is required by npm since 2026. npm publish automatically grabs the correct environment variables for OIDC, but aspublish prior to this change would've bailed prematurely due to it expecting a token to exist. Here are some references to look at: * https://docs.npmjs.com/trusted-publishers#github-actions-configuration * https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi OIDC is enabled for a package by setting the GitHub repo as the trusted publisher in the npm website, removing the NPM_TOKEN secret, and adding `id-token: write` under `permissions` in the Actions workflow.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,6 +7,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
     - uses: actions/checkout@v1
       with:
@@ -19,7 +21,6 @@ jobs:
     - name: Make release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        NPM_TOKEN:  ${{ secrets.NPM_TOKEN }}
       run: |
         VERSION=$(node bin/aspublish.js --version)
         if [ -z "$VERSION" ]; then
diff --git a/index.js b/index.js
@@ -155,6 +155,10 @@ export function getGithubToken() {
 
 /** Gets the npm token to use. */
 export function getNpmToken() {
+  // https://github.com/npm/cli/blob/v11.11.0/lib/utils/oidc.js#L64-L70
+  const isOidc = process.env.GITHUB_ACTIONS === "true" && process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+  if (isOidc) return null;
+
   const token = process.env.NPM_TOKEN || "";
   if (!token) throw Error("missing NPM_TOKEN");
   return token;
@@ -256,6 +260,6 @@ export function publishRelease(nextVersion, commit, notes) {
 export function publishPackage(version) {
   const token = getNpmToken();
   run("npm", ["version", version, "--no-git-tag-version", "--allow-same-version"]);
-  run("npm", ["config", "set", `//registry.npmjs.org/:_authToken=${token}`]);
+  if (token) run("npm", ["config", "set", `//registry.npmjs.org/:_authToken=${token}`]);
   run("npm", ["publish", "--access", "public"]);
 }
