Skip to content

Fix npm publish authentication for OIDC trusted publishing#92

Open
Copilot wants to merge 3 commits intomainfrom
copilot/fix-npm-publish-auth-errors
Open

Fix npm publish authentication for OIDC trusted publishing#92
Copilot wants to merge 3 commits intomainfrom
copilot/fix-npm-publish-auth-errors

Conversation

Copy link

Copilot AI commented Feb 17, 2026

The npm publish job was failing with 404/authentication errors because the workflow lacked the id-token: write permission required for OIDC trusted publishing.

Changes

  • Added id-token: write permission to enable OIDC token issuance for npm authentication
  • Added --provenance flag to generate attestation metadata
  • Added --access public flag to ensure scoped package publishes publicly
permissions:
  contents: write
  id-token: write  # Required for npm provenance and trusted publishing

# ...

- run: npm publish --provenance --access public

Requires GitHub Actions to be configured as a trusted publisher on npm for @aep_dev/aep-openapi-linter.

Original prompt

Problem

The npm publish job is failing with authentication errors when attempting to use npm trusted publishing:

npm notice Access token expired or revoked. Please try logging in again.
npm error 404 Not Found - PUT https://registry.npmjs.org/@aep_dev%2faep-openapi-linter - Not found

Failed Job: https://github.com/aep-dev/aep-openapi-linter/actions/runs/22097393418/job/63857931483

Root Cause

The workflow is configured to use npm trusted publishing (passwordless authentication via OIDC), but it's missing the required id-token: write permission. Without this permission, GitHub Actions cannot issue an OIDC token that npm can verify, causing authentication to fail.

Solution

Update .github/workflows/release.yaml to:

  1. Add id-token: write permission (lines 14-16):

    permissions:
      contents: write
      id-token: write  # Required for npm provenance and trusted publishing
  2. Add --provenance and --access public flags to npm publish command (line 69):

    - run: npm publish --provenance --access public

The id-token: write permission allows GitHub Actions to issue an OIDC token that npm can verify for trusted publishing. The --provenance flag generates attestation metadata, and --access public ensures the scoped package is published publicly.

Additional Notes

Ensure that GitHub Actions is configured as a trusted publisher on npm for the @aep_dev/aep-openapi-linter package with the repository aep-dev/aep-openapi-linter.

Reference: https://docs.npmjs.com/trusted-publishers

This pull request was created from Copilot chat.


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

…ishing

Co-authored-by: mkistler <800728+mkistler@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix authentication errors in npm publish job Fix npm publish authentication for OIDC trusted publishing Feb 17, 2026
Copilot AI requested a review from mkistler February 17, 2026 12:03
@mkistler mkistler marked this pull request as ready for review February 17, 2026 12:04
Copy link
Contributor

@mkistler mkistler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments