Skip to content

chore(ci): Disable NPM tokens in release workflow #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhampton merged 1 commit into from
Jan 16, 2026
Merged

chore(ci): Disable NPM tokens in release workflow #28

jhampton merged 1 commit into from
Jan 16, 2026
+2 −2

Conversation

@jhampton
Copy link
Collaborator

@jhampton jhampton commented Jan 16, 2026

Comment out NODE_AUTH_TOKEN and NPM_TOKEN for security during migration to NPM OIDC-based publishing authentication

Description

Type of Change

  • feat: New feature (non-breaking change which adds functionality)
  • fix: Bug fix (non-breaking change which fixes an issue)
  • docs: Documentation update
  • refactor: Code refactoring (no functional changes)
  • perf: Performance improvement
  • test: Test additions or updates
  • build: Build system or dependency changes
  • ci: CI configuration changes
  • chore: Other changes (maintenance, etc.)

Breaking Changes

  • This PR contains BREAKING CHANGES

Breaking Change Details:

Migration Guide:

Checklist

  • My code follows the project's code style guidelines
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • All commit messages follow conventional commits format
  • I have updated the appropriate section in documentation (if needed)

Conventional Commits

All commits in this PR follow conventional commit format:

<type>(<scope>): <subject>

[optional body]

[optional footer]

Example commit messages:

  • feat(api): add Bible verse lookup method
  • fix(auth): resolve token refresh race condition
  • docs: update installation instructions

For breaking changes:

  • feat(api)!: redesign Bible content API

See CONTRIBUTING.md for detailed guidelines.

Related Issues

Closes #
Relates to #

Additional Context

Reviewer Notes

@jhampton
Disable NPM tokens in release workflow
6bda6f7 
Comment out NODE_AUTH_TOKEN and NPM_TOKEN for security during migration to NPM OIDC-based publishing authentication

Signed-off-by: Jeff Hampton <jhampton@gmail.com>
@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Jan 16, 2026

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@jhampton jhampton merged commit c63c21a into main Jan 16, 2026
1 of 2 checks passed
@jhampton jhampton deleted the ype-1050-npm-oidc-publishing branch January 16, 2026 21:57
@greptile-apps
Copy link

greptile-apps bot commented Jan 16, 2026

Greptile Summary

This PR disables NPM token-based authentication in the release workflow by commenting out NODE_AUTH_TOKEN and NPM_TOKEN environment variables. The change supports migration to NPM OIDC-based publishing authentication, which is a more secure approach than storing long-lived tokens as GitHub secrets. The workflow already has the necessary OIDC configuration in place (id-token: write permission for npm provenance), so removing these token-based credentials is a straightforward security improvement that should not impact the release process if NPM OIDC is properly configured in the NPM registry settings.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it removes deprecated authentication credentials and relies on OIDC which is more secure.
  • The change is minimal and focused - only commenting out two lines that set NPM authentication tokens. The workflow infrastructure already has OIDC support configured (id-token: write permission and registry-url setup), so the removal of these tokens is aligned with modern security best practices. Semantic-release and npm have native OIDC support, so authentication should work properly without the explicit token variables. The change reduces security risk by eliminating long-lived token storage in GitHub secrets.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Disabled NPM token environment variables (NODE_AUTH_TOKEN and NPM_TOKEN) in the release workflow by commenting them out on lines 50-51. This change is part of a migration to NPM OIDC-based publishing authentication, which uses the id-token: write permission (line 18) instead of long-lived tokens. The change is safe and aligns with the existing workflow configuration that already supports OIDC (provenance token permission is present).

Sequence Diagram

sequenceDiagram
    participant GitHub as GitHub Actions
    participant Checkout as Checkout Code
    participant NodeSetup as Setup Node/NPM
    participant Validate as Validate
    participant Release as semantic-release
    participant NPM as NPM Registry
    participant OIDC as GitHub OIDC Provider

    GitHub->>Checkout: Fetch repository (SSH key)
    GitHub->>NodeSetup: Configure npm registry
    NodeSetup->>NodeSetup: Configure registry-url
    GitHub->>Validate: Run typecheck/lint/test/build
    Validate-->>GitHub: All checks pass
    GitHub->>Release: Run semantic-release
    Release->>Release: Check version, generate changelog
    Release->>NPM: Request OIDC token from GitHub
    Release->>OIDC: Get short-lived OIDC token
    OIDC-->>Release: Return token (id-token permission)
    Release->>NPM: Publish package with OIDC token
    NPM-->>Release: Package published
    Release->>GitHub: Create release and git tags
    Release-->>GitHub: Complete
Loading

@greptile-apps
Copy link

greptile-apps bot commented Jan 16, 2026

Greptile's behavior is changing!

From now on, if a review finishes with no comments, we will not post an additional "statistics" comment to confirm that our review found nothing to comment on. However, you can confirm that we reviewed your changes in the status check section.

This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".

jhampton pushed a commit that referenced this pull request Jan 16, 2026
@semantic-release-bot
chore(release): 0.8.0 [skip ci]
88a816e 
## 0.8.0 (2026-01-16)

* chore: Depend on most recent Swift SDK version and update breaking changes (#27) ([a042211](a042211)), closes [#27](#27)
* chore(ci): Disable NPM tokens in release workflow (#28) ([c63c21a](c63c21a)), closes [#28](#28)
* chore(ci): update semantic-release to support OIDC workflow (#29) ([de337dc](de337dc)), closes [#29](#29)
* chore(ci): YPE-1050 Modify release.yml for permissions and Node.js version ([2c86c6f](2c86c6f))
* Add NODE_AUTH_TOKEN to release workflow ([2bdc89c](2bdc89c))
* Add provenance option to npm release configuration ([d746acf](d746acf))
* Enable NPM_CONFIG_PROVENANCE in release workflow ([e027853](e027853))
* Update Node.js version and add NPM upgrade step ([ee94aa2](ee94aa2))
* feat: add support for `configure` in Kotlin (#16) ([d9bca2d](d9bca2d)), closes [#16](#16)
* feat: implement `setApiHost` and `getAccessToken` in Kotlin (#17) ([a4ee43c](a4ee43c)), closes [#17](#17)
* feat: Implement `SignInWithYouVersionButton` for Kotlin (#26) ([5072471](5072471)), closes [#26](#26)
* feat: Implement API utils for Kotlin/Android (#25) ([9a88926](9a88926)), closes [#25](#25)
* feat: implement votd API endpoint for Kotlin (#19) ([59e6874](59e6874)), closes [#19](#19)
* docs: add AI agent code review guidelines (#23) ([8218cec](8218cec)), closes [#23](#23)
@github-actions
Copy link

github-actions bot commented Jan 16, 2026

🎉 This PR is included in version 0.8.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhampton