ci: publish npm package with trusted publisher

[tbouffard]

No longer use a token to increase security.

Summary by CodeRabbit

• Chores
  • Updated the package publishing workflow to use a more secure authentication method, improving the reliability and security of the release process while maintaining the same publish capabilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions workflow for npm package publishing has been updated to replace token-based authentication with OIDC trusted publisher setup. The NODE_AUTH_TOKEN environment variable was removed, and comments were updated to reflect that npm provenance will now rely on trusted publisher configuration instead of explicit token credentials.

Changes

Cohort / File(s)	Summary
CI/CD Configuration [.github/workflows/publish-npm-package.yml]	Removed NODE_AUTH_TOKEN environment variable; clarified comments regarding OIDC trusted publisher requirement for npm provenance and scoped package handling; retained npm publish command with --provenance --access public flags

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Single file modification with primarily comment/documentation updates
• Straightforward removal of environment variable (NODE_AUTH_TOKEN)
• No complex logic or control flow changes
• Configuration-only change with low risk

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and lacks required template sections including PR checklist, detailed overview, issue references, and testing information.	Complete the PR template by adding the checklist, linking to the related issue, explaining the security benefits and implementation details, and confirming testing/documentation updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: publish npm package with trusted publisher' clearly and concisely summarizes the main change: updating the npm publishing workflow to use trusted publishers instead of tokens.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/npm_publish_with_trusted_publisher

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a68bb58 and 47435f8.

📒 Files selected for processing (1)

• .github/workflows/publish-npm-package.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: tbouffard
Repo: maxGraph/maxGraph PR: 849
File: packages/html/stories/DragSource.stories.js:98-101
Timestamp: 2025-06-13T07:48:10.300Z
Learning: User tbouffard prefers answers in English; avoid switching to other languages in future replies.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

.github/workflows/publish-npm-package.yml (2)

9-11: OIDC trusted publisher setup is correctly configured. ✓

The id-token: write permission enables GitHub Actions to exchange OIDC tokens with npm, eliminating the need for long-lived credentials.

---

18-20: Verify trusted publisher is configured in npm account and build-setup action supports OIDC.

The workflow correctly removes the token-based approach and uses --provenance with OIDC. However, this requires two manual prerequisites:

1. Trusted Publisher Setup: The npm package must have a trusted publisher configured at npmjs.com. This is a one-time manual setup per package.
2. npm CLI Configuration: Verify the .github/actions/build-setup action properly configures npm to use OIDC tokens. The npm CLI should be configured to authenticate via the id-token when accessing registry.npmjs.org.

Please confirm:

• Trusted publisher for this package is configured at https://npmjs.com/package/[your-package]/settings/security
• .github/actions/build-setup creates .npmrc with appropriate OIDC/registry configuration for npm CLI to auto-authenticate

If the build-setup action does not handle OIDC configuration, you may need to add an explicit .npmrc setup step.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud