Skip to content

fix: updates release workflow to support OIDC#53

Merged
mattinannt merged 1 commit intomainfrom
fix/updates-release-yml
Feb 19, 2026
Merged

fix: updates release workflow to support OIDC#53
mattinannt merged 1 commit intomainfrom
fix/updates-release-yml

Conversation

@pandeymangg
Copy link
Contributor

@pandeymangg pandeymangg commented Feb 19, 2026

changes the workflow to support OIDC trusted publishers:
https://docs.npmjs.com/trusted-publishers

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@coderabbitai
Copy link

coderabbitai bot commented Feb 19, 2026

Walkthrough

The change updates the GitHub Actions release workflow in .github/workflows/release.yml. Specifically, it modifies the id-token permission comment from "Required for npm provenance" to "Required for OIDC". Additionally, the explicit NODE_AUTH_TOKEN environment variable reference is removed from the Publish to npm step, indicating a shift from token-based authentication to OIDC-based authentication for the npm publishing process.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The pull request title accurately summarizes the main change: updating the release workflow to support OIDC authentication for npm publishing.
Description check ✅ Passed The pull request description is directly related to the changeset, explaining that it changes the workflow to support OIDC trusted publishers with a reference to npm documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 19, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/release.yml (2)

30-30: ⚠️ Potential issue | 🟡 Minor

registry-url in setup-node may inject an empty auth token that conflicts with OIDC.

actions/setup-node configured with registry-url writes an .npmrc entry of the form //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. With NODE_AUTH_TOKEN now absent, the env-var reference resolves to an empty string at publish time. Something injecting token auth — even via environment variables or config — can cause the npm CLI to take the classic token auth path instead of OIDC.

The npm CLI automatically detects OIDC environments and uses them for authentication before falling back to traditional tokens, so this may work in practice, but the stale .npmrc token line is unnecessary and is a latent risk. If the registry URL is needed only for resolving the correct registry endpoint, consider moving it to the project's .npmrc file instead of relying on setup-node's dynamic .npmrc generation.

♻️ Alternative: remove `registry-url` from `setup-node` 
       - name: Setup Node.js 22.x
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 22.14.0
-          registry-url: "https://registry.npmjs.org"

And add a project-level .npmrc (or packages/react-native/.npmrc):

registry=https://registry.npmjs.org/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 30, The workflow currently sets
registry-url in the actions/setup-node step which causes setup-node to write an
.npmrc line with //_authToken=${NODE_AUTH_TOKEN} that can inject an empty token
and interfere with OIDC; remove the registry-url key from the setup-node
configuration in the release workflow and instead create a project-level .npmrc
containing "registry=https://registry.npmjs.org/" (or the package-specific
.npmrc) so the registry is declared without causing setup-node to emit the
_authToken entry.

27-30: ⚠️ Potential issue | 🟠 Major

node-version: 22.x may resolve below the minimum required for npm trusted publishing.

npm trusted publishing requires npm CLI version 11.5.1 or later and Node version 22.14.0 or higher. The 22.x range is resolved at run-time to the latest available Node 22 patch on the runner, which may or may not satisfy >=22.14.0 depending on when the runner toolcache is updated. If the resolved version falls below 22.14.0, the npm CLI will not support OIDC authentication, causing the publish step to fail with an authentication error.

Pin to a version known to satisfy the requirement:

🔧 Proposed fix 
-          node-version: 22.x
+          node-version: 22.14.0
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 27 - 30, The workflow currently
uses actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af with
node-version: 22.x which can resolve to a Node patch older than 22.14.0; update
the node-version value to a pinned version that guarantees Node >=22.14.0 (for
example "22.14.0" or a newer specific 22.x patch) so that actions/setup-node
always installs a Node release that meets the npm trusted publishing
requirement.
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)

46-49: Verify that the package is registered as a trusted publisher on npmjs.com before merging.

The workflow-side OIDC changes are only one half of the setup. You need to: (1) configure the trusted publisher on npmjs.com, (2) add id-token: write permission to your workflow, (3) remove NPM_TOKEN from your secrets and npm publish command. Steps 2 and 3 are done here; step 1 must be completed on npmjs.com.

Additional operational considerations:

  • For GitHub Actions, ensure id-token: write permission is set in your workflow. npm does not verify your trusted publisher configuration when you save it — double-check that your repository, workflow filename, and other details are correct, as errors will only appear when you attempt to publish.
  • Verify the workflow filename matches exactly (including .yml) and that owner/repository are correct and case-sensitive.
  • Trusted publishing currently supports only cloud-hosted runners; support for self-hosted runners is intended for a future release. The ubuntu-latest runner used here is fine.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 46 - 49, Ensure the npm package
is registered as a Trusted Publisher on npmjs.com for this repository (complete
the external step on npmjs.com and verify the exact repository, owner, and
workflow filename match), confirm the workflow for the release has permissions:
id-token: write set (in the release.yml permissions block), remove any use of
NPM_TOKEN secret and any legacy npm login steps, and keep the npm publish
command in packages/react-native using OIDC (ensure the runner remains a
cloud-hosted runner like ubuntu-latest).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release.yml:
- Line 30: The workflow currently sets registry-url in the actions/setup-node
step which causes setup-node to write an .npmrc line with
//_authToken=${NODE_AUTH_TOKEN} that can inject an empty token and interfere
with OIDC; remove the registry-url key from the setup-node configuration in the
release workflow and instead create a project-level .npmrc containing
"registry=https://registry.npmjs.org/" (or the package-specific .npmrc) so the
registry is declared without causing setup-node to emit the _authToken entry.
- Around line 27-30: The workflow currently uses
actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af with node-version:
22.x which can resolve to a Node patch older than 22.14.0; update the
node-version value to a pinned version that guarantees Node >=22.14.0 (for
example "22.14.0" or a newer specific 22.x patch) so that actions/setup-node
always installs a Node release that meets the npm trusted publishing
requirement.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 46-49: Ensure the npm package is registered as a Trusted Publisher
on npmjs.com for this repository (complete the external step on npmjs.com and
verify the exact repository, owner, and workflow filename match), confirm the
workflow for the release has permissions: id-token: write set (in the
release.yml permissions block), remove any use of NPM_TOKEN secret and any
legacy npm login steps, and keep the npm publish command in
packages/react-native using OIDC (ensure the runner remains a cloud-hosted
runner like ubuntu-latest).

@mattinannt mattinannt added this pull request to the merge queue Feb 19, 2026
Merged via the queue into main with commit 155f95d Feb 19, 2026
9 checks passed
@mattinannt mattinannt deleted the fix/updates-release-yml branch February 19, 2026 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mattinannt mattinannt mattinannt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pandeymangg @mattinannt

Comments