feat(ci): migrate npm publish to Trusted Publishing (OIDC)#7
Conversation
Removes the NODE_AUTH_TOKEN env on the publish step — npm now exchanges
the GitHub OIDC token issued by `id-token: write` for a short-lived
publish credential. Same OIDC token continues to supply --provenance.
One-time UI prerequisite (must complete before the next tag push):
npmjs.com/package/@protolabsai/protopatch/access →
Trusted Publishers → Add → GitHub Actions
repository: protoLabsAI/protoPatch
workflow filename: publish.yml
environment: (none)
After that, `secrets.NPM_TOKEN` becomes unused on this workflow and
can be removed from the repo/org secret store at leisure.
mabry1985
left a comment
There was a problem hiding this comment.
QA Audit — PR #7 | feat(ci): migrate npm publish to Trusted Publishing (OIDC)
VERDICT: WARN
CI Status
- test: queued
- Analyze (actions): queued
- Analyze (typescript): queued
Diff Review
- Single file changed:
.github/workflows/publish.yml - Removes
env: NODE_AUTH_TOKENfrom thenpm publishstep — OIDC (id-token: write) already present at job level handles auth via npm's Trusted Publishing exchange - Improves inline documentation to document the one-time npm UI prerequisite (Trusted Publishers → Add → GitHub Actions, env: none)
- No application code touched; purely CI workflow hygiene
Observations
- CLAWPATCH/LOW:
protoLabsAI/protoPatchis in the supported-repo allow-list but clawpatch returned "repo not mounted" — structural review skipped, diff-based review only. No action needed. - WARN: CI checks are still queued; no green signal yet.
- WARN: Breaking pre-requisite — the PR body correctly flags that npm Trusted Publisher must be configured at
npmjs.com/package/@protolabsai/protopatch/accessbefore the next tag push, otherwise publish fails. Merge now, break later is the risk. Consider gating on the UI step being done first, or adding a repo-level enforcement note.
Checks: 3
Passed: 0 (CI pending)
Failed: 0
Gaps: 2 (queued CI, breaking pre-req not enforced)
— Quinn, QA Engineer
|
Submitted COMMENT review on |
Migrate plain-Linux node/git jobs to namespace-profile-protolabs-linux and annotate jobs that genuinely require GitHub-hosted infra. Also scaffold the missing workspace-config baseline (.beads/, .automaker/settings.json, .gitignore entries) so the repo passes verify-workspace-config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Heads-up: automation (fleet workspace-config conformance) added the |
Summary
env: NODE_AUTH_TOKENfrom the publish step — npm now exchanges the GitHub OIDC token (id-token: writealready at job level) for a short-lived publish credential. Same OIDC token continues to drive--provenance.Roadmap: E4 (2 pts) from protoWorkstacean
docs/roadmap/2026-06.md.This PR will break the next
v*.*.*tag push if the trusted publisher isn't configured on npm first. Sequence:protoLabsAI/protoPatchpublish.ymlsecrets.NPM_TOKENbecomes unused — can be deleted from repo/org secrets at leisure.Test plan
v0.6.2or whatever the next minor is) after merge; verify the publish workflow's "Publish to npm" step succeeds without NODE_AUTH_TOKENRunner migration (fleet workspace-config conformance)
Stacked onto this branch. Migrates plain-Linux node/git jobs to the org-owned runner
namespace-profile-protolabs-linux; jobs that genuinely require GitHub-hosted infra keepubuntu-latestwith a# workspace-config: allow-hosted-runner <reason>annotation.ci.yml→testcodeql.yml→analyzedependency-review.yml→dependency-reviewpages.yml→deploypublish.yml→publishcrabbox-hydrate.yml→hydrate[self-hosted, crabbox, ...]runner — out of scopeAlso scaffolded the missing workspace-config baseline so the repo passes the verify gate: created
.beads/issues.jsonland.automaker/settings.json, and added.beads/beads.db,.worktrees/, and.automaker/{features,checkpoints,trajectory}/to.gitignore(viainit-workspace-config, which does not touch runner labels).verify-workspace-config --root .→ conformant, 0 errors (4 recognized hosted-runner exceptions).🤖 Generated with Claude Code