Configure release pipeline to use trusted publishing instead of access tokens#30
Configure release pipeline to use trusted publishing instead of access tokens#30
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #30 +/- ##
=======================================
Coverage 86.66% 86.66%
=======================================
Files 20 20
Lines 1177 1177
Branches 199 188 -11
=======================================
Hits 1020 1020
Misses 157 157
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Updates the release/publishing process to move away from long-lived NPM_TOKEN secrets and toward npm “trusted publishing” (OIDC) by adjusting the GitHub Actions release workflow and related maintainer documentation.
Changes:
- Updated
.github/workflows/release.ymlto request OIDC (id-token: write) and removedNODE_AUTH_TOKENusage fornpm publish. - Removed
NPM_TOKENsetup references from maintainer docs and setup guidance. - Adjusted publishing/setup docs to reflect the updated secrets requirements (Codecov + GitHub Pages).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
.github/workflows/release.yml |
Enables OIDC token permissions and removes secret-token based npm auth for publishing. |
PUBLISHING.md |
Removes NPM_TOKEN instructions and updates some publishing prerequisites/troubleshooting text. |
README.md |
Removes NPM_TOKEN secret requirements from maintainer setup notes. |
scripts/test-setup.sh |
Updates “Next steps” guidance to no longer mention NPM_TOKEN. |
| ### Build matrix | ||
| - Tests run on Node.js 18.x, 20.x, 22.x. | ||
| - Cross-platform testing (Ubuntu). | ||
| - Coverage reporting to Codecov. | ||
|
|
||
| ### Security | ||
| - NPM token stored securely in GitHub Secrets. | ||
| - No sensitive data in the repository. | ||
| - Automated security scanning (dependabot). |
There was a problem hiding this comment.
This section is now inaccurate for trusted publishing: CI currently runs Node 20.x/22.x/24.x (not 18.x/20.x/22.x), and the “NPM token stored in GitHub Secrets” bullet no longer applies when using OIDC trusted publishing. Please update these bullets to match the actual workflows and auth approach.
| - Check if `CODECOV_TOKEN` is set correctly. | ||
| - Check if NPM publishing is configured correctly. | ||
| - Verify that the package name is available. | ||
| - Ensure version hasn't been published before. |
There was a problem hiding this comment.
The troubleshooting guidance for npm publish failures is too vague after removing NPM_TOKEN. Consider adding concrete checks specific to trusted publishing (e.g., verify the npm package has a trusted publisher configured for this repo/workflow, and that the workflow has id-token: write permissions).
| - Check if `CODECOV_TOKEN` is set correctly. | |
| - Check if NPM publishing is configured correctly. | |
| - Verify that the package name is available. | |
| - Ensure version hasn't been published before. | |
| - Verify that the GitHub Actions workflow used for publishing has the required permissions, e.g.: | |
| - At workflow or job level: | |
| ```yaml | |
| permissions: | |
| contents: read | |
| id-token: write | |
| ``` | |
| - Check that the npm package is configured with a **trusted publisher** for this GitHub repository/workflow (on npmjs.com → your package → *Access* / *Publish from CI*). | |
| - Inspect the publish workflow logs for OIDC / authorization errors such as: | |
| - "insufficient permissions to generate an OIDC token" | |
| - "No trusted publisher is configured for this GitHub repository" | |
| If you see these, re-check the `permissions` block and the trusted publisher configuration above. | |
| - Verify that the package name is available on npm and that it matches the `name` field in `package.json`. | |
| - Ensure the version in `package.json` has not already been published (`npm view <package-name> versions`). |
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| node-version: '22.x' |
There was a problem hiding this comment.
The release workflow uses Node 22.x, while other workflows/build steps use Node 20.x and the package declares support for Node >=18. Using a higher Node version for the release build can produce artifacts that differ from what CI validates. Consider building/publishing with the same Node version as the main build workflow (e.g., 20.x) unless there’s a specific reason to require 22.x.
| node-version: '22.x' | |
| node-version: '20.x' |
| - name: Publish to NPM | ||
| run: | | ||
| if [ "${{ github.event.inputs.pre_release }}" == "true" ]; then | ||
| echo "Publishing pre-release with beta tag" | ||
| npm publish --tag beta | ||
| else | ||
| echo "Publishing stable release" | ||
| npm publish | ||
| fi |
There was a problem hiding this comment.
npm publish no longer has any token-based auth configured. If trusted publishing (OIDC) is not fully set up for the npm package, this step will fail at release time. Consider adding a clear preflight check (or a more explicit configuration such as enabling provenance/OIDC per npm’s trusted publishing requirements) so failures point maintainers to the missing trusted-publisher setup.
| echo "3. Enable GitHub Pages in repository settings." | ||
| echo "4. Run './scripts/publish.sh patch' to test publishing." | ||
| echo "2. Enable GitHub Pages in repository settings." | ||
| echo "3. Run './scripts/publish.sh patch' to test publishing." |
There was a problem hiding this comment.
./scripts/test-setup.sh now removes the NPM_TOKEN step but doesn’t replace it with the new requirement for npm trusted publishing. The “Next steps” section should mention configuring npm trusted publishing/OIDC for this repo/workflow; otherwise it implies publishing is ready when a critical external configuration is still needed.
| echo "3. Run './scripts/publish.sh patch' to test publishing." | |
| echo "3. Configure npm trusted publishing/OIDC for this repository/workflow in GitHub." | |
| echo "4. After trusted publishing is configured, run './scripts/publish.sh patch' to test publishing." |
| ### Repository setup (for maintainers) | ||
|
|
||
| Before pushing to production, ensure these secrets are configured in GitHub: | ||
|
|
||
| 1. **NPM_TOKEN** - required for automated NPM publishing: | ||
| - Go to [npmjs.com](https://npmjs.com) → Account → Access Tokens. | ||
| - Create "Automation" token with "Publish" permissions. | ||
| - Add to GitHub from Settings → Secrets and variables → Actions. | ||
|
|
||
| 2. **GitHub Pages** - required for CDN deployment: | ||
| 1. **GitHub Pages** - required for CDN deployment: |
There was a problem hiding this comment.
The PR title is scoped to switching the release pipeline from access tokens to trusted publishing, but this README change also removes the entire “Pre-push checklist” section. If that removal wasn’t intentional, consider restoring it (and only adjusting the checklist items that mention NPM_TOKEN), or move it to another doc and link to it here.
| 1. **GitHub repository** - ensure your code is hosted on GitHub. | ||
| 2. **NPM account** - create an account at [npmjs.com](https://npmjs.com). | ||
| 3. **Node.js** - version 18.x or higher. | ||
| 3. **Node.js** - version 20.x or higher. |
There was a problem hiding this comment.
PUBLISHING.md now states Node.js 20.x+ is required, but the repo’s declared support is still engines.node >=18.0.0 (package.json) and docs/CI still reference multiple Node versions. Please align the documented prerequisite with the actual supported Node range (update engines/CI accordingly, or revert the doc change).
| 3. **Node.js** - version 20.x or higher. | |
| 3. **Node.js** - version 18.x or higher. |
| 2. **Add repository secrets**: | ||
| Go to repository Settings → Secrets and variables → Actions and add: | ||
|
|
||
| ``` | ||
| NPM_TOKEN: your_npm_publish_token | ||
| CODECOV_TOKEN: your_codecov_token | ||
| ``` |
There was a problem hiding this comment.
The setup section removes NPM_TOKEN but doesn’t add any instructions for configuring npm “trusted publishing” (OIDC) on the npm package side. Since the release workflow now has no auth token configured, PUBLISHING.md should document the required npm configuration (trusted publisher linking to this GitHub repo/workflow) so maintainers can successfully publish.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1d6833f58b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ``` | ||
| NPM_TOKEN: your_npm_publish_token | ||
| CODECOV_TOKEN: your_codecov_token | ||
| ``` |
There was a problem hiding this comment.
This setup section now instructs maintainers to add only CODECOV_TOKEN, while the release workflow publishes to npm without NODE_AUTH_TOKEN (.github/workflows/release.yml, Publish to NPM). In repositories where npm trusted publishing has not been explicitly configured on npmjs.org, npm publish will fail with authentication errors, so following this document leads to a non-working release setup for new projects.
Useful? React with 👍 / 👎.
No description provided.