Skip to content

fix(ci): publish to npm via OIDC trusted publishing#203

Merged
feugy merged 2 commits into
mainfrom
fix/release-oidc-trusted-publishing
Jun 19, 2026
Merged

fix(ci): publish to npm via OIDC trusted publishing#203
feugy merged 2 commits into
mainfrom
fix/release-oidc-trusted-publishing

Conversation

@feugy

@feugy feugy commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

Why

The release job authenticated to npm with NPM_TOKEN_ELEVATED. That elevated token can no longer be used (permissions revoked), so publishing is broken.

This switches publishing to npm Trusted Publishing (OIDC) — the same mechanism vercel/flagswithout adopting changesets. The workflow keeps its existing trigger (release: [published]) and its beta/stable split.

🤖 Generated with Claude Code

@feugy @claude
fix(ci): publish to npm via OIDC trusted publishing
8fe1c02 
The elevated npm token (NPM_TOKEN_ELEVATED) can no longer be used, so the
release job's npm authentication is broken. Switch to npm Trusted Publishing
(OIDC), the same mechanism used by vercel/flags and vercel/front — without
adopting changesets.

- grant `id-token: write` on the release job so the runner can mint an OIDC
  token (the job previously had no permissions block, inheriting the default
  that blocks ID-token issuance)
- drop `NODE_AUTH_TOKEN` from both publish steps; pnpm@11.1.3 performs the
  OIDC token exchange natively (native publish landed in 11.0.7, and 11.1.3
  fixes the 404 when OIDC meets the actions/setup-node `.npmrc` placeholder)
- enable `NPM_CONFIG_PROVENANCE` for signed provenance attestations

Requires a Trusted Publisher to be configured on npm for @vercel/analytics
(repo vercel/analytics, workflow release.yml).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
analytics-astro Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-next15 Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-nextjs Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-nuxt Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-remix Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-sveltekit Ready Ready Preview, Comment Jun 19, 2026 3:37pm
analytics-vue Ready Ready Preview, Comment Jun 19, 2026 3:37pm

Request Review

@feugy feugy requested a review from a team June 19, 2026 15:30
@feugy feugy enabled auto-merge (squash) June 19, 2026 15:30
dferber90
dferber90 reviewed Jun 19, 2026
View reviewed changes
Comment thread .github/workflows/release.yml Outdated
@feugy feugy requested a review from a team June 19, 2026 15:36
@feugy @claude
refactor(ci): configure provenance via publishConfig
1a5bc54 
Per review feedback, move provenance out of the workflow env and into the
package's publishConfig so it always applies, regardless of how publish is
invoked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@feugy feugy merged commit d5df714 into main Jun 19, 2026
14 checks passed
@feugy feugy deleted the fix/release-oidc-trusted-publishing branch June 19, 2026 15:41
@feugy feugy mentioned this pull request Jun 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dferber90 dferber90 dferber90 left review comments

@tobiaslins tobiaslins tobiaslins approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@feugy @dferber90 @tobiaslins