fix(ci): use changesets-action v1.6.8 with explicit OIDC env passing #688
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This version explicitly passes OIDC environment variables to the publish command execution, which should fix the proto shim compatibility issue. Changes: - Use GarthDB/changesets-action@v1.6.8 instead of changesets/action@v1 - Enable oidcAuth: true to activate explicit env var passing - Restore single-step publish (no need for separate manual publish step) - Remove verification step (v1.6.8 handles validation internally) How v1.6.8 fixes the proto shim issue: - PR #687 confirmed OIDC vars ARE present in GitHub Actions shell - Previous versions failed because vars were lost through proto shim chain - v1.6.8 explicitly passes env vars to exec() call using env option - This forces OIDC variables through: action → pnpm → changeset → npm Expected outcome: ✅ npm should detect OIDC from explicitly passed environment variables ✅ Packages should publish successfully with provenance ✅ Works with proto/moonrepo toolchains and standard environments Related: - v1.6.8 release: https://github.com/GarthDB/changesets-action/releases/tag/v1.6.8 - Root cause identified in PR #687 - Builds on npm 11.6.2 setup from PR #680
|
Member
Author
Run report for 49dd54bcTotal time: 7.1ms | Comparison time: 0s | Estimated loss: 7.1ms (100.0% slower)
Touched files |
GarthDB
added a commit
that referenced
this pull request
Jan 23, 2026
This PR tests if npm OIDC works when we bypass proto/moonrepo shims entirely. Changes: - Replace moonrepo/setup-toolchain with actions/setup-node - Install npm 11.6.2 directly (no proto shim) - Install pnpm 10.17.1 directly (no proto shim) - Install moon 1.39.1 directly (no proto shim) - Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true Purpose: After exhaustive testing (v1.6.4-v1.6.8, PR #687), we've confirmed: ✅ OIDC environment variables ARE present in GitHub Actions ✅ npm 11.6.2 is the correct version ✅ Trusted publishers are configured correctly ❌ npm can't authenticate through proto shim chain This test will definitively show if proto shims are the blocker. Expected outcomes: If this WORKS (✅ npm publishes successfully): → Proto shims are confirmed as the issue → We have two options: 1. Use this direct install approach (no proto in release workflow) 2. File bug with proto/moonrepo about OIDC support If this FAILS (❌ still ENEEDAUTH): → Something else is wrong with OIDC setup → Fall back to NPM_TOKEN Related: - All v1.6.x attempts: ENEEDAUTH with proto - PR #687: Confirmed OIDC vars present in shell - PR #688: v1.6.8 still failed with proto
GarthDB
added a commit
that referenced
this pull request
Jan 23, 2026
This PR tests if npm OIDC works when we bypass proto/moonrepo shims entirely. Changes: - Replace moonrepo/setup-toolchain with actions/setup-node - Install npm 11.6.2 directly (no proto shim) - Install pnpm 10.17.1 directly (no proto shim) - Install moon 1.39.1 directly (no proto shim) - Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true Purpose: After exhaustive testing (v1.6.4-v1.6.8, PR #687), we've confirmed: ✅ OIDC environment variables ARE present in GitHub Actions ✅ npm 11.6.2 is the correct version ✅ Trusted publishers are configured correctly ❌ npm can't authenticate through proto shim chain This test will definitively show if proto shims are the blocker. Expected outcomes: If this WORKS (✅ npm publishes successfully): → Proto shims are confirmed as the issue → We have two options: 1. Use this direct install approach (no proto in release workflow) 2. File bug with proto/moonrepo about OIDC support If this FAILS (❌ still ENEEDAUTH): → Something else is wrong with OIDC setup → Fall back to NPM_TOKEN Related: - All v1.6.x attempts: ENEEDAUTH with proto - PR #687: Confirmed OIDC vars present in shell - PR #688: v1.6.8 still failed with proto
GarthDB
added a commit
that referenced
this pull request
Jan 23, 2026
Previous PR #689 failed because moon requires proto even when installed directly. This PR bypasses both proto AND moon to test OIDC compatibility. Changes: - Remove moon entirely from release workflow - Install Node.js, npm, and pnpm directly (no proto) - Run pnpm install to get dependencies - Build tokens package directly with node commands - Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true Why this should work: - moon is tightly coupled to proto (requires proto shims) - Only tokens package has build tasks (buildTokens + buildManifest) - Other packages (component-schemas, design-system-registry) have no build - Running build commands directly bypasses moon dependency on proto Process flow without proto/moon: 1. Install Node.js 20.17.0 directly 2. Install npm 11.6.2 directly (OIDC compatible) 3. Install pnpm 10.17.1 directly 4. Run pnpm install (no shims involved) 5. Build tokens with direct node commands 6. changesets-action passes OIDC env vars to npm 7. npm publishes with OIDC (no shim interference) Expected outcome: ✅ npm should detect OIDC and publish successfully Related: - PR #689: Failed because moon requires proto - PR #688: v1.6.8 failed with proto shims - PR #687: Confirmed OIDC vars present in shell
GarthDB
added a commit
that referenced
this pull request
Jan 23, 2026
Previous PR #689 failed because moon requires proto even when installed directly. This PR bypasses both proto AND moon to test OIDC compatibility. Changes: - Remove moon entirely from release workflow - Install Node.js, npm, and pnpm directly (no proto) - Run pnpm install to get dependencies - Build tokens package directly with node commands - Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true Why this should work: - moon is tightly coupled to proto (requires proto shims) - Only tokens package has build tasks (buildTokens + buildManifest) - Other packages (component-schemas, design-system-registry) have no build - Running build commands directly bypasses moon dependency on proto Process flow without proto/moon: 1. Install Node.js 20.17.0 directly 2. Install npm 11.6.2 directly (OIDC compatible) 3. Install pnpm 10.17.1 directly 4. Run pnpm install (no shims involved) 5. Build tokens with direct node commands 6. changesets-action passes OIDC env vars to npm 7. npm publishes with OIDC (no shim interference) Expected outcome: ✅ npm should detect OIDC and publish successfully Related: - PR #689: Failed because moon requires proto - PR #688: v1.6.8 failed with proto shims - PR #687: Confirmed OIDC vars present in shell
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR integrates the new v1.6.8 release of the forked
changesets-actionwhich fixes OIDC authentication with proto/moonrepo toolchains by explicitly passing environment variables to the publish command.Root Cause (Identified in PR #687)
Testing confirmed that:
What v1.6.8 Fixes
The new version explicitly passes OIDC environment variables to the publish command's
exec()call:This forces the variables through the proto shim chain:
action → pnpm → changeset → npmChanges in This PR
GarthDB/changesets-action@v1.6.8(up from v1.6.7)oidcAuth: trueto activate explicit env passingWhy Previous Versions Failed
core.exportVariable()process.envExpected Outcome
When this PR is merged to main, the workflow should:
Testing
The workflow will only run when merged to
mainbranch. Look for these log messages:ENEEDAUTHerrorsReferences
Related Issues
Completes the OIDC migration and resolves the proto/moonrepo compatibility issue that has been causing
ENEEDAUTHerrors since PR #671.