Skip to content

chore: switch npm publish from token to OIDC trusted publishers#107

Merged
rgarcia merged 1 commit intomainfrom
rgarcia/cli-npm-oidc
Feb 7, 2026
Merged

chore: switch npm publish from token to OIDC trusted publishers#107
rgarcia merged 1 commit intomainfrom
rgarcia/cli-npm-oidc

Conversation

@rgarcia
Copy link
Contributor

@rgarcia rgarcia commented Feb 7, 2026
edited by cursor bot
Loading

Summary

Changes to .github/workflows/release.yaml

Change Why
Added id-token: write permission Required for GitHub Actions to mint an OIDC token for npm
Added npm install -g npm@latest step npm >= 11.5.1 is required for OIDC trusted publishing
Removed NPM_TOKEN and NODE_AUTH_TOKEN env vars from GoReleaser step No longer needed — goreleaser's npm pipe picks up the OIDC token automatically

Prerequisites

  • GitHub must be configured as a trusted publisher for @onkernel/cli on npmjs.com (docs)

Test plan

  • Verify the next tag-triggered release publishes @onkernel/cli to npm successfully
  • After confirming, remove the NPM_TOKEN secret from the repo settings

Note

Medium Risk
Changes release/publishing authentication; failures could block npm releases if OIDC/npm configuration isn’t correct.

Overview
Switches the release workflow to publish to npm via OIDC trusted publishing instead of an NPM_TOKEN secret.

The workflow now grants id-token: write, updates npm to a version that supports OIDC, and removes NPM_TOKEN/NODE_AUTH_TOKEN from the GoReleaser environment so publishing relies on the minted OIDC token.

Written by Cursor Bugbot for commit 72531b1. This will update automatically on new commits. Configure here.

@rgarcia @cursoragent
chore: switch npm publish from token to OIDC trusted publishers
72531b1 
- Add id-token:write permission for npm OIDC
- Ensure npm >= 11.5.1 (required for OIDC trusted publishing)
- Remove NPM_TOKEN / NODE_AUTH_TOKEN secrets from goreleaser step

GitHub is already configured as a trusted publisher on npmjs.com.
GoReleaser's npm pipe will use the OIDC token automatically.

Co-authored-by: Cursor <cursoragent@cursor.com>
@rgarcia rgarcia requested a review from masnwilliams February 7, 2026 16:41
masnwilliams
masnwilliams approved these changes Feb 7, 2026
View reviewed changes
Copy link
Contributor

@masnwilliams masnwilliams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rgarcia rgarcia merged commit 2fdd09b into main Feb 7, 2026
2 checks passed
@rgarcia rgarcia deleted the rgarcia/cli-npm-oidc branch February 7, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masnwilliams masnwilliams masnwilliams approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rgarcia @masnwilliams