Skip to content

[Chore] Migrate npm publish workflow to OIDC #119

Description

@adamantmm

Summary

Migrate .github/workflows/publish-npm.yml from NPM_TOKEN authentication to npm Trusted Publishing (OIDC) now that the trusted publisher is configured on npmjs.com for Adamant-im/adamant-tradebot / publish-npm.yml.

Background

  • v9.0.0 was the first publish and used secrets.NPM_TOKEN
  • npm Trusted Publisher (OIDC) is configured on the package
  • Sibling packages (adamant-api, adamant-console) already publish via OIDC without a stored token

Scope

  • Remove NODE_AUTH_TOKEN / NPM_TOKEN from the publish workflow
  • Use Node.js 24 and npm install -g npm@latest (npm CLI ≥ 11.5.1 for OIDC)
  • Keep permissions: id-token: write and npm publish --provenance --access public
  • Add workflow_dispatch for manual verification before the next release
  • Add release tag ↔ package.json version check (same as adamant-api)
  • Set publishConfig.provenance: true in package.json
  • Document trusted publisher setup in workflow comments

Follow-up (after merge + successful OIDC publish)

  • Revoke or rotate the NPM_TOKEN repository secret (no longer needed for publish)
  • Optional: npm package Publishing access → disallow tokens (after OIDC publish is verified)

Related

Metadata

Metadata

Assignees

Labels

AutomationAutomated scripts, GitHub Actions, workflows, or task runnersCI/CDActions, tests, and pipelinesNodeJSBackend logic, APIs, and Node.js environmentSecurityTopics about security approaches, cryptography, authentication, or vulnerabilitiesTaskGeneral task not necessarily related to code

Type

Fields

No fields configured for Task.

Projects

Status
In Review

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions