api icon indicating copy to clipboard operation
api copied to clipboard
verified publisher icon pelias

Configure CI for NPM OIDC Tokens

Open missinglink opened this issue 3 weeks ago • 1 comments

Responding to the email "Classic npm tokens stop working December 9th" this PR migrates our classic tokens to 'OIDC' tokens.

There are two options for migration:

Granular Access Tokens These are fairly similar to the classic tokens but have a maximum lifespan of 90 days, this sounds like an arduous chore.

OIDC Trusted Pubishing https://docs.npmjs.com/trusted-publishers This is only available for Github/Gitlab but lets you define the repo and workflow file that has permissions to publish.

What's requires are this change to every affected repo, plus going through the npm modules manually by an admin at a url such as https://www.npmjs.com/package/pelias-api/access and configuring them.

The configuration looks like this:

Screenshot 2025-12-05 at 13 14 54 Screenshot 2025-12-05 at 13 15 01

missinglink avatar Dec 05 '25 12:12 missinglink

It's likely that we will need to update the version of semantic-release we are using to either the latest or to one after which they added support for these OIDC tokens, I wasn't able to figure out the exact version.

https://github.com/pelias/ci-tools/blob/master/semantic-release.sh

[edit] It seems to be fairly modern https://github.com/semantic-release/npm/issues/958

missinglink avatar Dec 05 '25 12:12 missinglink