From cebf1b6ecfc13b04be3756b034de1d87afb6c45c Mon Sep 17 00:00:00 2001 From: Di Hei Date: Tue, 24 Feb 2026 12:11:03 -0800 Subject: [PATCH 1/2] npm trust circleci --- api/registry.npmjs.com/trust.yaml | 140 +++++++++++++++++++++++++++++- 1 file changed, 139 insertions(+), 1 deletion(-) diff --git a/api/registry.npmjs.com/trust.yaml b/api/registry.npmjs.com/trust.yaml index 8c75410..295577f 100644 --- a/api/registry.npmjs.com/trust.yaml +++ b/api/registry.npmjs.com/trust.yaml @@ -94,6 +94,18 @@ paths: ci_config_ref_uri: file: ".gitlab-ci.yml" environment: "production" + circleci: + summary: CircleCI configuration + value: + - id: "e792f093-7302-4330-8d50-27d7acddc87e" + type: "circleci" + claims: + oidc.circleci.com/org-id: "94b40e60-cfd5-486f-a04b-507abf27a83d" + oidc.circleci.com/project-id: "ff4d0d0d-5033-48c5-81e6-7c14a4715837" + oidc.circleci.com/pipeline-definition-id: "c959a6e7-5b83-4bc1-b46f-37bf13513490" + oidc.circleci.com/context-ids: + - "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + oidc.circleci.com/vcs-origin: "github.com/myorg/myrepo" "401": description: Unauthorized - missing or invalid authentication / OTP headers: @@ -179,7 +191,7 @@ paths: Configure trusted publisher settings for a package to enable OIDC token exchange. This endpoint allows users with write permission to the package to establish trust with CI/CD providers - (GitHub Actions, GitLab CI, etc.) so that those services can publish to the package + (GitHub Actions, GitLab CI, CircleCI, etc.) so that those services can publish to the package without requiring long-lived npm tokens. ## Requirements @@ -244,6 +256,17 @@ paths: ci_config_ref_uri: file: ".gitlab-ci.yml" environment: "production" + circleci: + summary: CircleCI configuration array + value: + - type: "circleci" + claims: + oidc.circleci.com/org-id: "94b40e60-cfd5-486f-a04b-507abf27a83d" + oidc.circleci.com/project-id: "ff4d0d0d-5033-48c5-81e6-7c14a4715837" + oidc.circleci.com/pipeline-definition-id: "c959a6e7-5b83-4bc1-b46f-37bf13513490" + oidc.circleci.com/context-ids: + - "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + oidc.circleci.com/vcs-origin: "github.com/myorg/myrepo" security: - npmAccessToken: [] - granularAccessToken: [] @@ -275,6 +298,18 @@ paths: ci_config_ref_uri: file: ".gitlab-ci.yml" environment: "production" + circleci: + summary: CircleCI configuration response + value: + - id: "e792f093-7302-4330-8d50-27d7acddc87e" + type: "circleci" + claims: + oidc.circleci.com/org-id: "94b40e60-cfd5-486f-a04b-507abf27a83d" + oidc.circleci.com/project-id: "ff4d0d0d-5033-48c5-81e6-7c14a4715837" + oidc.circleci.com/pipeline-definition-id: "c959a6e7-5b83-4bc1-b46f-37bf13513490" + oidc.circleci.com/context-ids: + - "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + oidc.circleci.com/vcs-origin: "github.com/myorg/myrepo" "400": description: Bad request body content: @@ -543,6 +578,7 @@ components: oneOf: - $ref: '#/components/schemas/GitHubActionsConfig' - $ref: '#/components/schemas/GitLabPipelinesConfig' + - $ref: '#/components/schemas/CircleCIConfig' OidcConfigsCreate: type: array @@ -551,6 +587,7 @@ components: oneOf: - $ref: '#/components/schemas/GitHubActionsConfigCreate' - $ref: '#/components/schemas/GitLabPipelinesConfigCreate' + - $ref: '#/components/schemas/CircleCIConfigCreate' GitHubActionsConfig: type: object @@ -670,6 +707,59 @@ components: description: GitLab environment name example: production + CircleCIConfig: + type: object + required: + - id + - type + - claims + properties: + id: + type: string + format: uuid + description: Unique identifier for the configuration + type: + type: string + enum: + - circleci + description: Type of the trusted publisher + claims: + type: object + required: + - oidc.circleci.com/org-id + - oidc.circleci.com/project-id + - oidc.circleci.com/pipeline-definition-id + - oidc.circleci.com/vcs-origin + properties: + oidc.circleci.com/org-id: + type: string + format: uuid + description: The UUID of the CircleCI organization + example: "94b40e60-cfd5-486f-a04b-507abf27a83d" + oidc.circleci.com/project-id: + type: string + format: uuid + description: The UUID of the CircleCI project + example: "ff4d0d0d-5033-48c5-81e6-7c14a4715837" + oidc.circleci.com/pipeline-definition-id: + type: string + format: uuid + description: The UUID of the pipeline definition Id + example: "c959a6e7-5b83-4bc1-b46f-37bf13513490" + oidc.circleci.com/context-ids: + type: array + items: + type: string + format: uuid + description: Optional array of CircleCI context UUIDs. + example: + - "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + oidc.circleci.com/vcs-origin: + type: string + description: | + The origin repository where the CI job runs, in the format `//`. + example: "github.com/myorg/myrepo" + GitLabPipelinesConfigCreate: type: object required: @@ -705,3 +795,51 @@ components: type: string description: GitLab environment name example: production + + CircleCIConfigCreate: + type: object + required: + - type + - claims + properties: + type: + type: string + enum: + - circleci + description: Type of the trusted publisher + claims: + type: object + required: + - oidc.circleci.com/org-id + - oidc.circleci.com/project-id + - oidc.circleci.com/pipeline-definition-id + - oidc.circleci.com/vcs-origin + properties: + oidc.circleci.com/org-id: + type: string + format: uuid + description: The UUID of the CircleCI organization + example: "94b40e60-cfd5-486f-a04b-507abf27a83d" + oidc.circleci.com/project-id: + type: string + format: uuid + description: The UUID of the CircleCI project + example: "ff4d0d0d-5033-48c5-81e6-7c14a4715837" + oidc.circleci.com/pipeline-definition-id: + type: string + format: uuid + description: The UUID of the pipeline definition Id + example: "c959a6e7-5b83-4bc1-b46f-37bf13513490" + oidc.circleci.com/context-ids: + type: array + items: + type: string + format: uuid + description: Optional array of CircleCI context UUIDs. + example: + - "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + oidc.circleci.com/vcs-origin: + type: string + description: | + The origin repository where the CI job runs, in the format `//`. + example: "github.com/myorg/myrepo" From c54b3c2598e61fb7ae4e766c499774e830f1d426 Mon Sep 17 00:00:00 2001 From: Di Hei Date: Tue, 24 Feb 2026 12:14:50 -0800 Subject: [PATCH 2/2] update base.yaml --- api/base.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/api/base.yaml b/api/base.yaml index 0be6b90..e6217cd 100644 --- a/api/base.yaml +++ b/api/base.yaml @@ -43,7 +43,7 @@ tags: **3. OIDC id_token (`oidcIdToken`)** Tokens from supported Identity Providers (CI/CD systems): - - From GitHub Actions, GitLab CI, etc. + - From GitHub Actions, GitLab CI, CircleCI, etc. - Must have `aud` claim set to `npm:registry.npmjs.org` - Short-lived tokens - **Required for:** OIDC token exchange only @@ -100,12 +100,13 @@ components: scheme: bearer bearerFormat: JWT description: | - OIDC id_token from a supported Identity Provider (IdP) such as GitHub Actions or GitLab CI. + OIDC id_token from a supported Identity Provider (IdP) such as GitHub Actions, GitLab CI, or CircleCI. The `aud` (audience) claim must be set to `npm:registry.npmjs.org`. **Supported Identity Providers:** - GitHub Actions - GitLab CI + - CircleCI # Traditional npm user access tokens npmSessionToken: