serverless-http-invoker icon indicating copy to clipboard operation
serverless-http-invoker copied to clipboard

Add OIDC permissions for npm trusted publishers

Open Copilot opened this issue 4 months ago • 0 comments

This PR adds the required OIDC permissions to the GitHub Actions workflow to enable npm trusted publishers authentication, following the npm trusted publishers documentation.

Changes

Added the following permissions to .github/workflows/build.yml:

  • id-token: write - Required for OIDC authentication with npm
  • contents: read - Required for repository access

These permissions are set at the workflow level and will be inherited by the reusable workflows used for testing and publishing.

Benefits

  • Enhanced Security: Replaces long-lived NPM_TOKEN secrets with short-lived OIDC tokens
  • Simplified Token Management: No need to manually rotate or manage npm tokens
  • Better Audit Trail: OIDC authentication provides better tracking of publishing events

Testing

  • ✅ All existing tests pass (24/24)
  • ✅ Linting passes without errors
  • ✅ YAML syntax is valid

The workflow structure remains unchanged and continues to use the existing reusable workflows from activescott/github-actions-workflows.

Original prompt

On build.yml, Following https://docs.npmjs.com/trusted-publishers do the following:

Add the required OIDC permissions to your workflow. Here's a complete example:

name: Publish Package

on: push: tags: - 'v*'

permissions: id-token: write # Required for OIDC contents: read

jobs: publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - uses: actions/setup-node@v4
    with:
      node-version: '20'
      registry-url: 'https://registry.npmjs.org'

  # Ensure npm 11.5.1 or later is installed
  - name: Update npm
    run: npm install -g npm@latest
  - run: npm ci
  - run: npm run build --if-present
  - run: npm test
  - run: npm publish

The critical requirement is the id-token: write permission, which allows GitHub Actions to generate OIDC tokens. Learn more in GitHub's OIDC documentation.

Submit a PR


💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot avatar Oct 15 '25 17:10 Copilot