admin icon indicating copy to clipboard operation
admin copied to clipboard
verified publisher icon nodejs

Migrate to OIDC on publishing npm packages in GitHub Actions

Open legendecas opened this issue 5 months ago • 6 comments

See https://docs.npmjs.com/trusted-publishers for documentations.

[!note] Trusted publishing requires npm CLI version 11.5.1 or later.

TL;DR: add the following section in the workflow file to replace ${secrets.NPM_TOKEN}, and create OICD connection on https://www.npmjs.com/package/<package-name>/access:

permissions:
  id-token: write  # Required for OIDC
  contents: read

This should help us get rid of npm tokens in GitHub Actions for publishing packages.

Quick search on npm token usages: https://github.com/search?q=org%3Anodejs+path%3A%22.github%2Fworkflows%22+%22npm+publish%22&type=code

legendecas avatar Aug 15 '25 10:08 legendecas

I've set up the connection for @node-core/utils:

Image

targos avatar Aug 15 '25 15:08 targos

https://github.com/nodejs/nodejs.org has been migrated to OIDC

avivkeller avatar Aug 19 '25 22:08 avivkeller

Another important note is that npm must be at least v11.5.1. So make sure to add npm install -g npm@latest or npm install -g npm@11 so that OIDC support is available in the npm CLI. I believe this was an issue on the latest node-gyp release https://github.com/nodejs/node-gyp/issues/3201 which I'm attempting to fix in https://github.com/nodejs/node-gyp/pull/3202

lukekarrys avatar Aug 20 '25 18:08 lukekarrys

@legendecas Would you be able to update the issue body with some mention of the required npm version?

lukekarrys avatar Aug 20 '25 19:08 lukekarrys

Update: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/

Early October: New token lifetime limits and TOTP changes take effect for npm publishers. Mid-November: Classic npm tokens revoked and generation disabled.

legendecas avatar Oct 15 '25 11:10 legendecas

I just noticed that we'll need to update

  • https://github.com/nodejs/branch-diff/commits/blob/.github/workflows/test-and-release.yml
  • https://github.com/nodejs/changelog-maker/blob/main/.github/workflows/test-and-release.yml
  • https://github.com/nodejs/remark-preset-lint-node/blob/main/.github/workflows/test-and-release.yml
  • https://github.com/nodejs/commit-stream/blob/main/.github/workflows/test-and-release.yml
  • https://github.com/nodejs/nodejs-dist-indexer/blob/main/.github/workflows/test-and-release.yml

joyeecheung avatar Oct 28 '25 19:10 joyeecheung