Skip to content

Fix npm publish authentication for OIDC trusted publishing#92

Open
Copilot wants to merge 3 commits intomainfrom
copilot/fix-npm-publish-auth-errors
Open

Fix npm publish authentication for OIDC trusted publishing#92
Copilot wants to merge 3 commits intomainfrom
copilot/fix-npm-publish-auth-errors

Conversation

Copy link

Copilot AI commented Feb 17, 2026
edited
Loading

The npm publish job was failing with 404/authentication errors because the workflow lacked the id-token: write permission required for OIDC trusted publishing.

Changes

  • Added id-token: write permission to enable OIDC token issuance for npm authentication
  • Added --provenance flag to generate attestation metadata
  • Added --access public flag to ensure scoped package publishes publicly
permissions:
  contents: write
  id-token: write  # Required for npm provenance and trusted publishing

# ...

- run: npm publish --provenance --access public

Requires GitHub Actions to be configured as a trusted publisher on npm for @aep_dev/aep-openapi-linter.

Original prompt

Problem

The npm publish job is failing with authentication errors when attempting to use npm trusted publishing:

npm notice Access token expired or revoked. Please try logging in again.
npm error 404 Not Found - PUT https://registry.npmjs.org/@aep_dev%2faep-openapi-linter - Not found

Failed Job: https://github.com/aep-dev/aep-openapi-linter/actions/runs/22097393418/job/63857931483

Root Cause

The workflow is configured to use npm trusted publishing (passwordless authentication via OIDC), but it's missing the required id-token: write permission. Without this permission, GitHub Actions cannot issue an OIDC token that npm can verify, causing authentication to fail.

Solution

Update .github/workflows/release.yaml to:

  1. Add id-token: write permission (lines 14-16):

    permissions:
  contents: write
  id-token: write  # Required for npm provenance and trusted publishing

  2. Add --provenance and --access public flags to npm publish command (line 69):

    - run: npm publish --provenance --access public

The id-token: write permission allows GitHub Actions to issue an OIDC token that npm can verify for trusted publishing. The --provenance flag generates attestation metadata, and --access public ensures the scoped package is published publicly.

Additional Notes

Ensure that GitHub Actions is configured as a trusted publisher on npm for the @aep_dev/aep-openapi-linter package with the repository aep-dev/aep-openapi-linter.

Reference: https://docs.npmjs.com/trusted-publishers

This pull request was created from Copilot chat.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@mkistler
Add id-token: write permission and npm publish flags for trusted publ…
7b2bcc0 
…ishing

Co-authored-by: mkistler <800728+mkistler@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix authentication errors in npm publish job Fix npm publish authentication for OIDC trusted publishing Feb 17, 2026
Copilot AI requested a review from mkistler February 17, 2026 12:03
@mkistler mkistler marked this pull request as ready for review February 17, 2026 12:04
mkistler
mkistler approved these changes Feb 17, 2026
View reviewed changes
Copy link
Contributor

@mkistler mkistler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rambleraptor rambleraptor rambleraptor approved these changes

@toumorokoshi toumorokoshi Awaiting requested review from toumorokoshi

+1 more reviewer

@mkistler mkistler mkistler approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mkistler mkistler

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkistler @rambleraptor

Comments