From 4b94ac99b2db3f6bdc2a47225c7c9f8eccb0a8dd Mon Sep 17 00:00:00 2001 From: Ramon Niebla Date: Fri, 17 Apr 2026 16:34:41 -0700 Subject: [PATCH] ci: switch npm publish to trusted publishing (OIDC) The @launchdarkly/ldcli npm package now has trusted publishing configured on the npm side, which rejects legacy NODE_AUTH_TOKEN publishes (npm returns 404 to obscure auth failures). Align the release-please and manual-publish workflows with the OIDC pattern already used by js-client-sdk, observability-sdk, and launchdarkly- toolbar: * bump actions/setup-node v3 -> v4 * install npm 11.6.2 (trusted publishing requires >= 11.5.1) * drop the SSM-sourced NODE_AUTH_TOKEN; npm CLI picks up the OIDC token automatically via the existing id-token: write permission No changes to scripts/publish-npm.sh (already uses --provenance --access public, same as the sibling repos). Made-with: Cursor --- .github/workflows/manual-publish.yml | 15 +++++++++------ .github/workflows/release-please.yml | 15 +++++++++------ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 0d860c74..fc556114 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -83,6 +83,10 @@ jobs: runs-on: ubuntu-latest if: ${{ inputs.dry-run-npm == false }} needs: [release-ldcli] + # id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token + # that the npm registry trusts via the trusted publisher config. The npm + # trusted publisher must be configured with this workflow filename + # (manual-publish.yml) for publishes from this path to succeed. permissions: actions: read id-token: write @@ -92,15 +96,14 @@ jobs: name: Checkout with: fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 20.x registry-url: 'https://registry.npmjs.org' - - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1 - name: 'Get NPM token' - with: - aws_assume_role: ${{ vars.AWS_ROLE_ARN }} - ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN' + - name: Update npm + shell: bash + # npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support. + run: npm install -g npm@11.6.2 - id: publish-npm name: Publish NPM Package uses: ./.github/actions/publish-npm diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 963c3704..dd7412a3 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -107,21 +107,24 @@ jobs: release-ldcli-npm: runs-on: ubuntu-latest needs: [release-please, release-ldcli] + # id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token + # that the npm registry trusts via the trusted publisher config for this + # workflow. No static NPM token is needed (or wanted: if NODE_AUTH_TOKEN is + # set, npm prefers the token path and skips OIDC). permissions: id-token: write contents: write if: needs.release-please.outputs.release_created == 'true' steps: - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 20.x registry-url: 'https://registry.npmjs.org' - - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1 - name: 'Get NPM token' - with: - aws_assume_role: ${{ vars.AWS_ROLE_ARN }} - ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN' + - name: Update npm + shell: bash + # npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support. + run: npm install -g npm@11.6.2 - id: publish-npm name: Publish NPM Package uses: ./.github/actions/publish-npm