Skip to content

feat(npm): support OIDC trusted publishing#763

Merged
BYK merged 3 commits intomasterfrom
feat/npm-oidc-trusted-publishing
Feb 27, 2026
Merged

feat(npm): support OIDC trusted publishing#763
BYK merged 3 commits intomasterfrom
feat/npm-oidc-trusted-publishing

Conversation

@BYK
Copy link
Member

@BYK BYK commented Feb 27, 2026

Summary

  • Add auto-detection of OIDC trusted publishing when NPM_TOKEN is absent and the CI environment exposes OIDC credentials (GitHub Actions ACTIONS_ID_TOKEN_REQUEST_* env vars, GitLab NPM_ID_TOKEN). Zero config change required for the common case.
  • Add explicit oidc: true target option to force OIDC mode (useful when migrating while both a token and OIDC are configured).
  • Skip temp .npmrc injection in OIDC mode so npm's native OIDC detection is not overridden; require npm >= 11.5.1 for OIDC; hard-error on explicit oidc: true with incompatible environments.
  • getLatestVersion() runs unauthenticated when no token is available (works for public packages; warns and skips the checkPackageName check for private ones).
  • All existing token-based behavior is unchanged.

Auth Decision Logic

oidc config NPM_TOKEN set OIDC env detected Result
true any any Force OIDC
unset yes any Token auth (backward compat)
unset no yes (npm >= 11.5.1) Auto-detect OIDC
unset no no Error: NPM_TOKEN not found

Files Changed

  • src/targets/npm.ts — core implementation: isOidcEnvironment() helper, updated checkRequirements, getNpmConfig, publishPackage, and getLatestVersion
  • src/targets/__tests__/npm.test.ts — 13 new tests covering all OIDC paths
  • docs/src/content/docs/targets/npm.md — OIDC Trusted Publishing section

Testing

# .craft.yml — zero config needed if CI is set up with id-token: write
targets:
  - name: npm
    access: public
# GitHub Actions workflow
permissions:
  id-token: write
  contents: read
steps:
  - uses: actions/setup-node@v4
    with:
      node-version: '24'
      registry-url: 'https://registry.npmjs.org'
  - run: craft publish

@BYK
feat(npm): support OIDC trusted publishing
df0958d 
Add auto-detection and opt-in support for npm's OIDC trusted publishing
(https://docs.npmjs.com/trusted-publishers), eliminating the need for
long-lived NPM_TOKEN secrets.

- Auto-detect OIDC from CI env vars (GitHub Actions ACTIONS_ID_TOKEN_*
  and GitLab NPM_ID_TOKEN) when NPM_TOKEN is absent
- Add explicit `oidc: true` config option to force OIDC mode
- Skip temp .npmrc injection in OIDC mode so npm's native OIDC detection
  is not overridden
- Validate npm >= 11.5.1 when OIDC is in use; hard-error on explicit
  `oidc: true` with incompatible environments, warn and fall through to
  token error on auto-detected OIDC with old npm
- getLatestVersion() runs without auth when no token is available (works
  for public packages; warns and skips check for private packages)
- Token auth and all existing behavior unchanged when NPM_TOKEN is set
@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-02-27 16:03 UTC

@BYK BYK marked this pull request as ready for review February 27, 2026 13:46
cursor[bot]
cursor bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 3 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@BYK
fix(npm): address BugBot review comments
ec040e2 
- Extract duplicated isNewEnough version check to isNpmVersionSufficientForOidc() helper
- Propagate oidc config option to expanded workspace targets in expand()
- Fix test assertion that was checking NPM_BIN ('npm') instead of 'NPM_TOKEN'
- Add test coverage for oidc propagation through workspace expand()
@BYK
refactor(npm): use versionGreaterOrEqualThan for OIDC version check
22b0868 
Replace the ad-hoc NPM_OIDC_MIN_{MAJOR,MINOR,PATCH} constants and the
isNpmVersionSufficientForOidc() helper with the existing SemVer utilities
already imported in npm.ts:

- Single NPM_OIDC_MIN_VERSION: SemVer constant instead of three separate ones
- versionGreaterOrEqualThan(npmVersion, NPM_OIDC_MIN_VERSION) replaces the
  custom comparison logic
- this.npmVersion now stores the full SemVer from parseVersion() directly
- TestNpmTarget.mockVersion typed as SemVer to match
@BYK BYK merged commit b02365c into master Feb 27, 2026
18 checks passed
@BYK BYK deleted the feat/npm-oidc-trusted-publishing branch February 27, 2026 16:02
@sentry-release-bot sentry-release-bot bot mentioned this pull request Feb 27, 2026
Closed
7 tasks
BYK added a commit to BYK/opencode-lore that referenced this pull request Feb 27, 2026
@BYK
ci: use Craft npm target with OIDC trusted publishing
20c1be3 
Now that Craft supports OIDC auto-detection (getsentry/craft#763),
restore the npm target in .craft.yml and let craft publish handle
both GitHub release and npm publish in one command. Removes the
separate npm publish step and the preReleaseCommand workaround.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK