Skip to content

[AAASM-4017] 🔧 (ci): Migrate npm publish to OIDC Trusted Publishing#223

Merged
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-4017/config/npm_oidc
Jul 3, 2026
Merged

[AAASM-4017] 🔧 (ci): Migrate npm publish to OIDC Trusted Publishing#223
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-4017/config/npm_oidc

Conversation

@Chisanan232

Copy link
Copy Markdown
Contributor

What

Migrates the release-node.yml npm publish job from a long-lived NPM_TOKEN to npm OIDC Trusted Publishing for the package publish itself.

  • Adds a protected environment: npm to the publish job.
  • Upgrades npm to >= 11.5.1 (npm install -g npm@latest) — OIDC trusted publishing is GA only in npm 11.5.1+, and Node 22 bundles an older npm.
  • Switches both publish steps (Publish 4 runtime sub-packages, Publish main @agent-assembly/sdk) from pnpm publish to npm publish --provenance, and removes NODE_AUTH_TOKEN — npm mints a short-lived, publish-scoped credential from the workflow's OIDC identity.
  • Keeps NPM_CONFIG_PROVENANCE: "true" so SLSA provenance still attaches.
  • Keeps workflow_dispatch trigger, dry-run gating, dist-tag logic, SBOM, and GitHub Release steps unchanged.

Job-level id-token: write (+ contents: write for the git tag/release) was already present.

Why

AAASM-4017 [MED]: the workflow set id-token: write + NPM_CONFIG_PROVENANCE: true but still authenticated the publish with a stored, long-lived secrets.NPM_TOKEN and had no environment: gate — unlike python-sdk, which uses PyPI Trusted Publishing (OIDC, no stored token) behind environment: pypi. This brings node-sdk to parity: the package contents now publish tokenlessly via OIDC + provenance.

Known limitation (one token remains, intentionally)

npm OIDC Trusted Publishing currently authenticates only the npm publish command (npm/cli#8547). The Update latest dist-tag step runs npm dist-tag add, a non-publish registry write OIDC does not cover, so it still needs a token. Blast radius is much smaller: it no longer publishes package contents, only moves a dist-tag pointer. It should be a granular automation token scoped to @agent-assembly/* dist-tag management. Once npm extends OIDC to dist-tag, that token can be dropped entirely.

⚠️ Manual admin setup required before this works

This code change alone will NOT publish successfully until a repo/npm admin completes both of the following. Until then, a dispatched release will fail auth at the publish step.

  • GitHub Environment — create an Environment named exactly npm in this repo (Settings → Environments → New environment). Add required reviewers (Pioneer team) so publishes gate on human approval. No secrets need to live in the environment for the OIDC publish itself.
  • npmjs Trusted Publisher — on npmjs.com, for each published package (@agent-assembly/sdk, @agent-assembly/runtime-linux-x64, @agent-assembly/runtime-linux-arm64, @agent-assembly/runtime-darwin-x64, @agent-assembly/runtime-darwin-arm64): Package Settings → Trusted Publisher → add a GitHub Actions publisher with:
    • Organization/Repository: ai-agent-assembly/node-sdk
    • Workflow filename: release-node.yml
    • Environment: npm
  • NPM_TOKEN secret — keep a secret named NPM_TOKEN available to the workflow, but downgrade it to a granular automation token scoped only to dist-tag management for @agent-assembly/* (it no longer needs publish scope). Required only by the Update latest dist-tag step (see "Known limitation").

How to verify

  • actionlint .github/workflows/release-node.yml passes; YAML parses.
  • After the manual setup above, dispatch release-node with dry-run=true (skips registry writes) to confirm the job wiring, then a real pre-release publish to confirm OIDC auth + provenance.

Refs AAASM-4017

🤖 Generated with Claude Code

https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73

Authenticate the release-node publish steps via npm OIDC trusted
publishing instead of a long-lived NPM_TOKEN:

- Add `environment: npm` to the publish job (protected environment gate).
- Upgrade npm to >= 11.5.1 (npm install -g npm@latest) so the OIDC
  token-exchange path exists on Node 22's bundled older npm.
- Switch the two publish steps from `pnpm publish` to
  `npm publish --provenance` and drop `NODE_AUTH_TOKEN`; npm mints a
  short-lived publish-scoped credential from the workflow OIDC identity.
- Keep NPM_CONFIG_PROVENANCE for SLSA provenance.
- Retain a token only on `npm dist-tag add` (OIDC covers `npm publish`
  only — npm/cli#8547), documented for future removal.

Requires manual admin setup before it works: create the `npm` GitHub
Environment and configure the package's trusted publisher on npmjs.com.

Refs AAASM-4017

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code review — approve

AAASM-4017 npm OIDC. Publish job migrated to npm Trusted Publishing (npm publish --provenance, no NODE_AUTH_TOKEN) + protected environment: npm + npm@latest (OIDC needs ≥11.5.1). npm dist-tag step retains a token (npm OIDC covers publish only — documented). CI green. ⚠️ Manual: create npm Environment + configure npmjs Trusted Publisher per package (checklist in PR body).

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code — deep review: APPROVE (conditional on documented manual setup)

CI: green (25/25). Scope: matches ticket — publish migrated to npm OIDC Trusted Publishing (npm publish --provenance, no NODE_AUTH_TOKEN), environment: npm, npm@latest (OIDC needs ≥11.5.1); dist-tag step keeps a token (npm OIDC covers publish only — correctly reasoned, blast-radius reduced).

Side-effects (regression check): the main breakage risk — pnpm publish auto-rewrites workspace:* but npm publish does NOT — is handled: the workflow already rewrites optionalDependencies runtime-* to concrete versions in an explicit node step for BOTH main-only and all modes before publish; sub-packages have no workspace deps. Non-publish jobs (build/SBOM/dry-run/release) untouched. No silent break.

⚠️ Prerequisites (publish hard-fails until done, labeled in PR body): create the npm GitHub Environment + configure npmjs Trusted Publisher for all 5 packages; downgrade NPM_TOKEN to a dist-tag-scoped token. Watch the first real publish: with NODE_AUTH_TOKEN unset, setup-node writes an empty _authToken= — npm ≥11.5.1 is documented to fall through to OIDC, but validate via a dry-run + pre-release first.

@Chisanan232 Chisanan232 merged commit 1027264 into master Jul 3, 2026
25 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-4017/config/npm_oidc branch July 3, 2026 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant