Skip to content

🔧 [PB-1278] Clear NODE_AUTH_TOKEN to enable OIDC authentication#18

Merged
crisap94 merged 1 commit intomainfrom
front/PB-1278-oidc-trusted-publishing-v2
Dec 31, 2025
Merged

🔧 [PB-1278] Clear NODE_AUTH_TOKEN to enable OIDC authentication#18
crisap94 merged 1 commit intomainfrom
front/PB-1278-oidc-trusted-publishing-v2

Conversation

@crisap94
Copy link
Member

@crisap94 crisap94 commented Dec 31, 2025

Summary

Fixes OIDC authentication by explicitly clearing NODE_AUTH_TOKEN that actions/setup-node sets automatically.

Root Cause - CONFIRMED

actions/setup-node sets NODE_AUTH_TOKEN automatically even without registry-url configuration. This default token interferes with OIDC authentication, causing npm to attempt token-based auth instead of OIDC.

The Issue

From GitHub community discussion #176761:

"The actions/setup-node action sets a default token automatically. This causes authentication conflicts with OIDC."

Even though we:

  • ✅ Have id-token: write permission
  • ✅ Have npm Trusted Publisher configured correctly
  • ✅ Are using npm publish (not pnpm)
  • ✅ Removed registry-url from setup-node

setup-node STILL sets NODE_AUTH_TOKEN, blocking OIDC.

Solution

Explicitly clear NODE_AUTH_TOKEN in the publish step:

- name: Publish to NPM
  run: npm publish --access public --tag ${{ steps.version.outputs.tag }} --provenance
  env:
    NODE_AUTH_TOKEN: ''  # Force npm to use OIDC instead of token auth

How It Works

  1. setup-node runs and sets default NODE_AUTH_TOKEN
  2. We clear it with NODE_AUTH_TOKEN: ''
  3. npm CLI detects no token → falls back to OIDC
  4. OIDC token from id-token: write is used for authentication
  5. Publish succeeds with automatic provenance

Complete Configuration

permissions:
  id-token: write    # Generate OIDC token
  contents: write

jobs:
  deploy:
    environment:
      name: npm-production  # Matches npm Trusted Publisher config

    steps:
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'pnpm'
          # No registry-url (avoids explicit token config)

      - name: Publish to NPM
        run: npm publish --access public --tag latest --provenance
        env:
          NODE_AUTH_TOKEN: ''  # Clear automatic token from setup-node

Changes Made

File: .github/workflows/deploy.yml

Added env block to publish step:

env:
  NODE_AUTH_TOKEN: ''

Why Previous Attempts Failed

  1. Attempt 1: Used pnpm publish → pnpm doesn't support OIDC ❌
  2. Attempt 2: Added registry-url → Created conflicting token ❌
  3. Attempt 3: Removed registry-url → setup-node still set default token ❌
  4. Attempt 4 (this PR): Clear default token → OIDC works ✅

Verification

All requirements met:

  • ✅ npm CLI 11.5.1+ (in ubuntu-latest runner)
  • id-token: write permission
  • ✅ npm Trusted Publisher configured correctly:
    • Organization: ubidots
    • Repository: react-html-canvas
    • Workflow: deploy.yml
    • Environment: npm-production
  • ✅ Using npm publish (OIDC support)
  • NODE_AUTH_TOKEN cleared (no interference)

References

@coderabbitai
Copy link

coderabbitai bot commented Dec 31, 2025

Warning

Rate limit exceeded

@crisap94 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8b27e54 and 78675c3.

📒 Files selected for processing (1)
  • .github/workflows/deploy.yml

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Dec 31, 2025

🔍 PR Quality Check Summary

Check Status
Code Quality & Tests ✅ success
Security Audit ✅ success

📋 Checks Performed:

  • ✅ TypeScript compilation
  • ✅ ESLint code quality
  • ✅ Prettier code formatting
  • ✅ Unit tests with coverage (80%+ required)
  • ✅ Build verification
  • ✅ Security audit

🎉 All checks passed! This PR is ready for review.

@crisap94 crisap94 merged commit 3d50207 into main Dec 31, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crisap94