activescott
Add OIDC permissions for npm trusted publishers
This PR adds the required OIDC permissions to the GitHub Actions workflow to enable npm trusted publishers authentication, following the npm trusted publishers documentation.
Changes
Added the following permissions to .github/workflows/build.yml:
-
id-token: write- Required for OIDC authentication with npm -
contents: read- Required for repository access
These permissions are set at the workflow level and will be inherited by the reusable workflows used for testing and publishing.
Benefits
-
Enhanced Security: Replaces long-lived
NPM_TOKENsecrets with short-lived OIDC tokens - Simplified Token Management: No need to manually rotate or manage npm tokens
- Better Audit Trail: OIDC authentication provides better tracking of publishing events
Testing
- ✅ All existing tests pass (24/24)
- ✅ Linting passes without errors
- ✅ YAML syntax is valid
The workflow structure remains unchanged and continues to use the existing reusable workflows from activescott/github-actions-workflows.
Original prompt
On build.yml, Following https://docs.npmjs.com/trusted-publishers do the following:
Add the required OIDC permissions to your workflow. Here's a complete example:
name: Publish Package
on: push: tags: - 'v*'
permissions: id-token: write # Required for OIDC contents: read
jobs: publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://registry.npmjs.org' # Ensure npm 11.5.1 or later is installed - name: Update npm run: npm install -g npm@latest - run: npm ci - run: npm run build --if-present - run: npm test - run: npm publishThe critical requirement is the id-token: write permission, which allows GitHub Actions to generate OIDC tokens. Learn more in GitHub's OIDC documentation.
Submit a PR
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.
