cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

Allow publishing initial version with OIDC

Open johnbillion opened this issue 3 months ago • 3 comments

Support for trusted publishing using OIDC was added in #8336 and is now generally available.

One limitation is that it's not possible to publish the initial version of a package using OIDC, it needs to be published manually or using a token. It would be great to support OIDC publishing for the initial version.

The main problem is that the UI on npmjs.com requires a package to exist before you can edit its settings and enable OIDC publishing. PyPI solved this by allowing a package to be configured with OIDC publishing before it exists. This was mentioned by @Shegox on https://github.com/orgs/community/discussions/127011#discussioncomment-9933132.

johnbillion avatar Sep 01 '25 00:09 johnbillion

Hello @johnbillion,

thank you for creating a dedicated issue for this. I would like to give as well a few ideas on potential implementations. Instead of allowing the publishing with OIDC for not yet created packages another option would be to allow "empty" packages to be created on npmjs.com. I could imagine if that is not feasible, there could be a specific version string dedicated which is treated as "empty". E.g. 0.0.0-dummy-npm. We do it with such a dummy version currently and then delete the dummy version again after the team published their first real version. Or if they are not quick enough only deprecate it, which is not really great. So having an official dummy version which can always be deleted would give us already a nice workaround to grab a package name, setup the OIDC publishing and deleting the dummy version again after the first real version is published.

Anyway, thank you again for looking into this. Really loving the OIDC publishing features so far 🚀

Shegox avatar Sep 01 '25 07:09 Shegox

@johnbillion Thank you for bringing this to discussion! We determined to not have "first publish" available to limit scope in our MVP, but are evaluating options for the next step. This is on our minds 😄

owlstronaut avatar Sep 05 '25 16:09 owlstronaut

setup-npm-trusted-publish, a dedicated tool for this, can be used to publish a "dummy" package to npm:

npx --yes setup-npm-trusted-publish <package-name>

34j avatar Oct 26 '25 12:10 34j

Any updated plans for this? It makes shipping a new package much more involved than it ideally would be.

RobertCraigie avatar Dec 19 '25 19:12 RobertCraigie