Skip to content

ci: switch to npm trusted publishing (OIDC) for releases#198

Merged
justinchung-cb merged 1 commit intomasterfrom
justinchung/update-release-workflow-trusted-publishing
Feb 18, 2026
Merged

ci: switch to npm trusted publishing (OIDC) for releases#198
justinchung-cb merged 1 commit intomasterfrom
justinchung/update-release-workflow-trusted-publishing

Conversation

@justinchung-cb
Copy link
Contributor

@justinchung-cb justinchung-cb commented Feb 18, 2026

Summary

  • Switch from NPM_TOKEN secret to npm trusted publishing (OIDC) for automated releases

Changes

  • Node 18 -> 22: Required for npm trusted publishing (needs npm >= 11.5.1)
  • Added id-token: write permission: Enables GitHub Actions OIDC token generation
  • Replaced NODE_AUTH_TOKEN: NPM_TOKEN with NPM_CONFIG_PROVENANCE: true: Uses OIDC instead of a manually managed npm token
  • Removes dependency on the expired NPM_TOKEN secret

Pre-requisite (must be done on npmjs.com before merging)

Trusted publishing must be configured on npmjs.com for @coinbase/onchaintestkit:

  1. Go to https://www.npmjs.com/package/@coinbase/onchaintestkit/access
  2. Under "Publishing access" -> "Trusted publishing", add:
    • Repository: coinbase/onchaintestkit
    • Environment: release
    • Workflow: release.yml

Test Plan

  • Configure trusted publishing on npmjs.com (pre-requisite above)
  • Merge this PR
  • Run the Release (manual) workflow
  • Verify npm view @coinbase/onchaintestkit version shows 1.2.1

Made with Cursor

@justinchung-cb @cursoragent
ci: switch to npm trusted publishing (OIDC) for releases
8201dac 
- Update Node from 18 to 22 (required for npm trusted publishing)
- Add id-token: write permission for OIDC token generation
- Replace NPM_TOKEN with NPM_CONFIG_PROVENANCE for tokenless publishing
- Removes dependency on manually managed npm access tokens

Co-authored-by: Cursor <cursoragent@cursor.com>
@cb-heimdall
Copy link

cb-heimdall commented Feb 18, 2026
edited
Loading

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@justinchung-cb justinchung-cb merged commit 1cd9454 into master Feb 18, 2026
7 checks passed
@justinchung-cb justinchung-cb deleted the justinchung/update-release-workflow-trusted-publishing branch February 18, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timothywangdev-cb timothywangdev-cb timothywangdev-cb approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@justinchung-cb @cb-heimdall @timothywangdev-cb