feat: support OIDC auth for GitHub Actions/GitLab#6898

cometkim · 2025-09-13T21:35:58Z

What's the problem this PR addresses?

Resolves #6831

How did you fix it?

Implementation adapted from https://github.com/npm/cli/blob/7d900c4656cfffc8cca93240c6cda4b441fbbfaa/lib/utils/oidc.js

~~I'll test publishing with a dummy package.~~
Tested at https://github.com/cometkim/npgi/actions/runs/17703091184/job/50311171040

You can check the published package and the provenance here: https://www.npmjs.com/package/npgi

~~Note: it doesn't work with the Yarn registry proxy, so it requires setting publishConfig.registry to "https://registry.npmjs.org"~~ Fixed.

Checklist

I have read the Contributing Guide.

I have set the packages that need to be released for my changes to be effective.

I will check that all automated PR checks pass before the PR gets reviewed.

arcanis

Thanks! Left a couple of comments

arcanis · 2025-09-17T09:28:20Z

.yarn/versions/9ad4b6ac.yml

+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/cli"


cli also needs to be a minor

arcanis · 2025-09-17T09:29:46Z

packages/plugin-npm-cli/sources/commands/npm/publish.ts

            ident,
            otp: this.otp,
            jsonResponse: true,
+            allowOidc: Boolean(env.CI && (env.GITHUB_ACTIONS || env.GITLAB)),


Do we gain something to exposing that as an option? Shouldn't it be an implementation detail of npmHttpUtils, since only put needs it and it always wants to set it if possible?

Theoretically, it could be supported anywhere related to the registry if the registry provider wanted it. It's not necessarily coupled with publish or put actions.

Since this essentially involves more than two provider details (registry and runner environment), I didn't think plugin-npm was the ideal place to do it, but I wanted to avoid too many changes here.

Another approach would be to use the getNpmAuthenticationHeader hook; perhaps a plugin for each CI provider would be ideal.

arcanis · 2025-09-17T09:31:51Z

packages/plugin-npm-cli/sources/commands/npm/publish.ts

 import {packUtils}                                                                              from '@yarnpkg/plugin-pack';
 import {Command, Option, Usage, UsageError}                                                     from 'clipanion';

+const {env} = process;


Avoid making an indirection for process.env, it makes it a little more difficult to understand where a value comes from at a glance.

Resolves yarnpkg#6831

cometkim · 2025-09-17T17:58:15Z

@arcanis, btw, do you have any idea why it's not working with https://registry.yarnpkg.com? I thought it was a simple HTTP proxy.

arcanis · 2025-09-17T18:01:13Z

It's a CNAME, yes. I'm not familiar with the oidc protocol but I imagine some certificates may be attached to the hostnames and they didn't bother to do it for the Yarn hostname? Not sure.

Unfortunately these days I think GitHub tickets are the only way to get support from the folks handling the npm server 🫤

cometkim · 2025-09-17T19:20:11Z

packages/plugin-npm/sources/npmHttpUtils.ts

+      return null;
+
+    const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL);
+    url.searchParams.append(`audience`, `npm:${new URL(registry).host}`);


I see. When using registry.yarnpkg.com, audience should be replaced with the original (registry.npmjs.com)

cometkim · 2025-09-17T19:41:22Z

Ok, now it works without changing the registry URL.

https://github.com/cometkim/npgi/actions/runs/17808768531/job/50627038427

arcanis · 2025-09-18T11:04:42Z

Released in 4.10 - thanks a lot !

## What's the problem this PR addresses? At #6898, I made a mistake, making it not work for scoped packages.

- Upgrade to Yarn 4.12.0 for OIDC support (PR yarnpkg/berry#6898) - Replace npx npm@latest publish --provenance with yarn npm publish - Provenance is automatic with OIDC trusted publishing - Add packageManager field where missing

* Use npm trusted publishing for package releases - Add OIDC permissions (id-token: write, contents: read) for trusted publishing - Replace NODE_AUTH_TOKEN with npx npm@latest publish --provenance * Use yarn npm publish with OIDC for trusted publishing - Upgrade to Yarn 4.12.0 for OIDC support (PR yarnpkg/berry#6898) - Replace npx npm@latest publish --provenance with yarn npm publish - Provenance is automatic with OIDC trusted publishing - Add packageManager field where missing * Upgrade to Yarn 4.x for OIDC trusted publishing - Add packageManager field (yarn@4.9.1) - Add .yarnrc.yml with nodeLinker: node-modules - Update CI: corepack enable, --immutable, yarn npm publish - Update Node.js to 22.x - Update TypeScript to 5.7.3, Jest to 29.7.0 - Update test snapshot for Jest 29 format * Upgrade ESLint toolchain for Node.js 22 compatibility - Upgrade ESLint from 7.32.0 to 8.57.0 (fixes ESM compatibility with Node 22) - Upgrade @typescript-eslint packages from 4.x to 5.62.0 - Upgrade eslint-plugin-jest from 24.x to 27.9.0 - Upgrade prettier from 2.x to 3.5.1 - Fix clean script glob pattern for zsh compatibility - Fix test precision: truncate float literals that exceed IEEE 754 float64 representable precision (the original values were silently rounded at runtime anyway, so no behavioral change) * Fix clean script glob quoting for zsh Use single quotes to pass the glob pattern to rimraf instead of letting zsh expand it (which fails when no files match).

* Use npm trusted publishing for package releases - Add OIDC permissions (id-token: write, contents: read) for trusted publishing - Replace NODE_AUTH_TOKEN with npx npm@latest publish --provenance * Use yarn npm publish with OIDC for trusted publishing - Upgrade to Yarn 4.12.0 for OIDC support (PR yarnpkg/berry#6898) - Replace npx npm@latest publish --provenance with yarn npm publish - Provenance is automatic with OIDC trusted publishing - Add packageManager field where missing * Upgrade to Yarn 4.x for OIDC trusted publishing - Add packageManager field (yarn@4.9.1) - Add .yarnrc.yml with nodeLinker: node-modules - Update CI: corepack enable, --immutable, yarn npm publish - Update Node.js to 22.x

cometkim force-pushed the npm-trusted-publish branch 2 times, most recently from c8563c6 to 8d89c74 Compare September 13, 2025 22:52

cometkim marked this pull request as ready for review September 13, 2025 23:01

arcanis reviewed Sep 17, 2025

View reviewed changes

arcanis mentioned this pull request Sep 17, 2025

feat: implement npmMinimalAgeGate and npmPreapprovedPackages config options #6901

Merged

3 tasks

cometkim added 8 commits September 18, 2025 02:55

feat: support OIDC auth for GitHub Actions/GitLab

d9b2a3a

Resolves yarnpkg#6831

prepare release

82f58f3

fix

09b2407

request oidc token only on publishing

d2b5b66

fix

54d1528

make trusted publisher setting as optional

76fe4f6

mark cli as minor

4951d0a

use process.env directly

c568e5b

cometkim force-pushed the npm-trusted-publish branch from 61877d1 to c568e5b Compare September 17, 2025 17:55

cometkim commented Sep 17, 2025

View reviewed changes

cometkim added 2 commits September 18, 2025 04:34

set OIDC audience to registry.npmjs.org

e1ab5da

fix audience

75fd4ff

arcanis added 2 commits September 18, 2025 10:27

Versions

5addc9f

Merge branch 'master' into npm-trusted-publish

3730bf3

arcanis merged commit 0964654 into yarnpkg:master Sep 18, 2025
25 of 26 checks passed

arcanis mentioned this pull request Sep 18, 2025

[Bug?]: 4.10.0 breaks "yarn npm publish" #6903

Closed

1 task

cometkim deleted the npm-trusted-publish branch September 18, 2025 11:38

cometkim mentioned this pull request Sep 19, 2025

Fix OIDC publishing for scoped packages #6911

Merged

jakub-g mentioned this pull request Sep 22, 2025

Mention OIDC auth bodadotsh/npm-security-best-practices#4

Closed

arcanis pushed a commit that referenced this pull request Sep 22, 2025

Fix OIDC publishing for scoped packages (#6911)

7b0f301

## What's the problem this PR addresses? At #6898, I made a mistake, making it not work for scoped packages.

JReinhold mentioned this pull request Oct 2, 2025

Release tooling: Use npm Trusted Publishing storybookjs/storybook#32607

Merged

8 tasks

devin-ai-integration bot mentioned this pull request Jan 26, 2026

Fix OIDC trusted publishing for npm cognizant-ai-lab/neuro-san-ui#124

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: support OIDC auth for GitHub Actions/GitLab#6898