cypress-io
Migrate to npm Trusted Publishing
Why migrate to Trusted Publishing?
As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).
Benefits:
- Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
- No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
- Automatic Provenance Attestation: Provides better audit trails and security transparency
- Simplified Security Model: Reduces attack surface by eliminating persistent credentials
Implementation
Update semantic-release
Update semantic-release from 24.2.3 to 25.0.1 inside the github workflow, which adds support for trusted publishing. See the release notes for details.
Configure Trusted Publishing
- Set up npm Trusted Publishing in the npm dashboard for
@cypressscope packages - Update the GitHub Actions workflow to use OIDC instead of
NPM_TOKENsecret - Remove the
NPM_TOKENsecret from repository settings once migration is complete
Reference
Acceptance Criteria
- [ ] semantic-release updated to 25.0.1
- [ ] npm Trusted Publishing configured for this repository
- [ ] GitHub Actions workflow updated to use OIDC
- [ ]
NPM_TOKENsecret removed from repository - [ ] Successful test release using trusted publishing
@AtofStryker
Thanks for adding this task and for the detail you provided!
This is probably a good repo to pilot this change.
- Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
- There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see https://github.com/cypress-io/github-action/issues/1519), which would be a prerequisite to update to semantic-release >=25.0.0
Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.
Thanks for adding this task and for the detail you provided!
This is probably a good repo to pilot this change.
- Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
- There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see Update action to run under Node.js 24 #1519), which would be a prerequisite to update to semantic-release >=25.0.0
Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.
@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.
@AtofStryker
@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.
Thanks for the clarification! I've added myself as assignee here for the bits that I can contribute.