Skip to content

Commit b1899c8

Browse files
authored
feat: allow publishing via OIDC authentication (#2)
This is required by npm since 2026. npm publish automatically grabs the correct environment variables for OIDC, but aspublish prior to this change would've bailed prematurely due to it expecting a token to exist. Here are some references to look at: * https://docs.npmjs.com/trusted-publishers#github-actions-configuration * https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi OIDC is enabled for a package by setting the GitHub repo as the trusted publisher in the npm website, removing the NPM_TOKEN secret, and adding `id-token: write` under `permissions` in the Actions workflow.
1 parent 47096be commit b1899c8

File tree

2 files changed

+7
-2
lines changed

2 files changed

+7
-2
lines changed

.github/workflows/publish.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ jobs:
77
release:
88
name: Release
99
runs-on: ubuntu-latest
10+
permissions:
11+
id-token: write
1012
steps:
1113
- uses: actions/checkout@v1
1214
with:
@@ -19,7 +21,6 @@ jobs:
1921
- name: Make release
2022
env:
2123
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
22-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
2324
run: |
2425
VERSION=$(node bin/aspublish.js --version)
2526
if [ -z "$VERSION" ]; then

index.js

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,10 @@ export function getGithubToken() {
155155

156156
/** Gets the npm token to use. */
157157
export function getNpmToken() {
158+
// https://github.com/npm/cli/blob/v11.11.0/lib/utils/oidc.js#L64-L70
159+
const isOidc = process.env.GITHUB_ACTIONS === "true" && process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
160+
if (isOidc) return null;
161+
158162
const token = process.env.NPM_TOKEN || "";
159163
if (!token) throw Error("missing NPM_TOKEN");
160164
return token;
@@ -256,6 +260,6 @@ export function publishRelease(nextVersion, commit, notes) {
256260
export function publishPackage(version) {
257261
const token = getNpmToken();
258262
run("npm", ["version", version, "--no-git-tag-version", "--allow-same-version"]);
259-
run("npm", ["config", "set", `//registry.npmjs.org/:_authToken=${token}`]);
263+
if (token) run("npm", ["config", "set", `//registry.npmjs.org/:_authToken=${token}`]);
260264
run("npm", ["publish", "--access", "public"]);
261265
}

0 commit comments

Comments
 (0)