feat: update npm authentication process for OIDC trusted publishing

2026-04-06 00:32:12 +02:00 · 2025-12-10 15:42:51 +00:00
parent 8079f5b74d
commit d7d382bcf6
2 changed files with 31 additions and 19 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -141,10 +141,10 @@ jobs:
    needs: [generate-build-number, read-version, publish-npm-packages]
    env:
      CI_PIPELINE_ID: ${{ github.run_number }}
-      NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
    permissions:
      contents: write  # For creating releases
      packages: write  # For publishing packages
+      id-token: write  # Required for npm OIDC trusted publishing
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -156,6 +156,10 @@ jobs:
        with:
          node-version: latest
          cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update npm for OIDC support
+        run: npm install -g npm@latest

      - name: Install Common dependencies
        run: cd Common && npm install
@@ -185,16 +189,6 @@ jobs:
          echo "📁 Directory structure:"
          ls -la "$MCP_DIR"

-      - name: Setup npm authentication
-        run: |
-          # Clean up any existing npm configuration that might cause warnings
-          rm -f ~/.npmrc
-          # Create npmrc file with authentication
-          touch ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_AUTH_TOKEN" >> ~/.npmrc
-          echo "//registry.npmjs.org/:email=npm@oneuptime.com" >> ~/.npmrc
-          echo "✅ npm authentication configured"
-
      - name: Update package version
        run: |
          cd MCP
@@ -1536,13 +1530,22 @@ jobs:
  publish-npm-packages:
    runs-on: ubuntu-latest
    needs: [generate-build-number, read-version]
+    permissions:
+      contents: read
+      id-token: write  # Required for npm OIDC trusted publishing
    env:
      CI_PIPELINE_ID: ${{github.run_number}}
-      NPM_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
      PACKAGE_VERSION: ${{needs.read-version.outputs.major_minor}}
    steps:
      - name: Checkout 
        uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: latest
+          registry-url: 'https://registry.npmjs.org'
+      - name: Update npm for OIDC support
+        run: npm install -g npm@latest
      - name: Preinstall 
        uses: nick-fields/retry@v3
        with:
--- a/Scripts/NPM/PublishAllPackages.sh
+++ b/Scripts/NPM/PublishAllPackages.sh
@@ -9,15 +9,24 @@ if [ -z "$package_version" ]; then
  exit 1
 fi

-# touch npmrc file
-touch ~/.npmrc
+# Note: Authentication is handled via npm OIDC trusted publishing
+# The GitHub Actions workflow provides id-token: write permission
+# and setup-node action configures the registry-url

-# Add Auth Token to npmrc file
-echo "//registry.npmjs.org/:_authToken=$NPM_AUTH_TOKEN" >> ~/.npmrc
-echo "//registry.npmjs.org/:email=npm@oneuptime.com" >> ~/.npmrc
+###
+# Required Manual Configuration on npmjs.com
+# You need to configure Trusted Publishers for each npm package:

-# Show content of npmrc file
-cat ~/.npmrc
+# Go to npmjs.com and log into your account
+# For each package (@oneuptime/common, @oneuptime/mcp-server, etc.):
+# Navigate to the package settings
+# Find the "Trusted Publisher" section
+# Click "GitHub Actions"
+# Configure:
+# Organization or user: OneUptime
+# Repository: oneuptime
+# Workflow filename: release.yml
+# Save the configuration

 publish_to_npm() {
    directory_name=$1