cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] use `pull_request_target` trigger OIDC publish failing from GitHub actions

Open RSS1102 opened this issue 1 month ago • 2 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [x] I am using the latest npm

Current Behavior

name: "Publish Dev Preview on PR Merge"

on:
  pull_request_target:
    types: [closed]
    paths:
      - "packages/**"

permissions:
  contents: read
  pull-requests: write
  issues: write
  id-token: write

jobs:
  npm-preview:

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: lts/*
          registry-url: https://registry.npmjs.org/
          cache: yarn

      - name: Install and build
          .....

      - name: npm publish
        run: npm publish --tag latest --provenance --access public

Expected Behavior

Image

Steps To Reproduce

When I changed pull_request_target to push, it was successfully triggered.

Environment

use github action ci

RSS1102 avatar Nov 18 '25 02:11 RSS1102

The solution mentioned here seems to only work with GitHub actions triggered by on: push? https://github.com/npm/cli/issues/8730

RSS1102 avatar Nov 18 '25 02:11 RSS1102

This solves the above problem, but it doesn't work when I want to generate a alpha version for merging code from external contributors. 😢😢

-  pull_request_target:
+ pull_request:

RSS1102 avatar Nov 18 '25 06:11 RSS1102