🔧 [PB-1278] Remove registry-url to fix OIDC (final attempt)#23
Conversation
- Remove registry-url from setup-node to prevent automatic NODE_AUTH_TOKEN creation - Bump version to 0.2.11 for deployment test Root cause: setup-node with registry-url automatically creates NODE_AUTH_TOKEN environment variable, which blocks OIDC authentication even when not explicitly set. This is our final OIDC attempt. If this fails, we'll use traditional npm token.
🔍 PR Quality Check Summary
📋 Checks Performed:
🎉 All checks passed! This PR is ready for review. |
|
Warning Rate limit exceeded@crisap94 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 15 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
After 4 failed attempts with OIDC trusted publishing (#20, #21, #22, #23), we're switching to the more reliable traditional npm token authentication. Changes: - Add registry-url back to setup-node - Add NODE_AUTH_TOKEN env using NPM_TOKEN secret - Bump version to 0.2.12 - Keep --provenance flag for supply chain security Required setup: 1. Create npm automation token at https://www.npmjs.com/settings/[username]/tokens/create 2. Add as GitHub secret: NPM_TOKEN Benefits: ✅ Battle-tested and reliable ✅ Still supports provenance attestation ✅ No OIDC configuration issues Trade-offs:⚠️ Requires manual token management⚠️ Token needs rotation
1 participant
Summary
Final OIDC attempt: Remove
registry-urlfrom setup-node to prevent automatic NODE_AUTH_TOKEN creation.If this fails, we'll switch to traditional npm token authentication.
Root Cause Found
Looking at the previous deployment logs, even though we removed the explicit
envblock,setup-nodewithregistry-urlparameter automatically createsNODE_AUTH_TOKEN:This blocks OIDC authentication.
Changes
registry-url: 'https://registry.npmjs.org'from setup-nodeWhy This Should Work
Fallback Plan
If this deployment fails, we'll immediately switch to Option B: traditional npm token authentication with these steps:
NPM_TOKENNODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}--provenanceflag for supply chain securityTesting
Merge → automatic deployment → monitor logs closely
Previous attempts: #20, #21, #22 all failed due to NODE_AUTH_TOKEN interfering with OIDC