Skip to content

chore: switch npm publish from token auth to OIDC trusted publishers #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rgarcia wants to merge 1 commit into from
Closed

chore: switch npm publish from token auth to OIDC trusted publishers #75

rgarcia wants to merge 1 commit into from

Conversation

@rgarcia
Copy link
Contributor

@rgarcia rgarcia commented Feb 7, 2026
edited by cursor bot
Loading

Summary

  • Replaces NPM_TOKEN secret-based auth with npm's OIDC trusted publishers (already configured on npmjs.com)
  • Adds provenance attestation to published packages via npm publish --provenance
  • Removes all references to NPM_TOKEN / KERNEL_NPM_TOKEN secrets across workflows and scripts

Changes

File What changed
.github/workflows/publish-npm.yml Added permissions: id-token: write, updated actions/setup-node to v4 with registry-url, removed NPM_TOKEN env
bin/publish-npm Removed npm config set token line, switched yarn publish to npm publish --provenance --access public
bin/check-release-environment Removed NPM_TOKEN check (no secrets needed with OIDC)
.github/workflows/release-doctor.yml Removed NPM_TOKEN env from the check step

How it works

With OIDC trusted publishers, GitHub Actions requests a short-lived OIDC token during the workflow run. npm verifies this token against the trusted publisher configuration (repo + workflow) — no long-lived secrets involved. The --provenance flag also attaches a signed build provenance attestation to each published package.

Test plan

  • Verify the next SDK release publishes successfully via the workflow
  • Confirm provenance badge appears on the npmjs.com package page after publish
  • After confirming, remove the KERNEL_NPM_TOKEN / NPM_TOKEN secrets from the repo settings

Note

Medium Risk
Changes the release/publishing path and authentication mechanism; failures would block npm releases, and correct OIDC/trusted-publisher configuration is required for successful publishes.

Overview
Publishing to npm is migrated from long-lived NPM_TOKEN secrets to npm OIDC trusted publishers by granting id-token: write permissions in publish-npm.yml and removing token env wiring from workflows.

The publish script drops per-run npm token configuration and switches from yarn publish to npm publish --provenance --access public, while check-release-environment no longer validates presence of NPM_TOKEN.

Written by Cursor Bugbot for commit 24e00ea. This will update automatically on new commits. Configure here.

@rgarcia @cursoragent
chore: switch npm publish from token auth to OIDC trusted publishers
24e00ea 
Replace NPM_TOKEN-based authentication with npm's OIDC trusted
publishers. This eliminates the need for a long-lived npm token secret
and adds provenance attestation to published packages.

Changes:
- publish-npm.yml: add id-token:write permission, setup-node with
  registry-url, remove NPM_TOKEN env
- bin/publish-npm: remove npm config set for auth token, switch from
  yarn publish to npm publish --provenance --access public
- bin/check-release-environment: remove NPM_TOKEN check (no longer
  needed)
- release-doctor.yml: remove NPM_TOKEN env

Co-authored-by: Cursor <cursoragent@cursor.com>
@rgarcia rgarcia closed this Feb 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rgarcia