Skip to content

chore: switch npm publish to trusted publishers via OIDC#36

Merged
sriramveeraghanta merged 1 commit intomainfrom
chore/sdk-publishing-changes
Mar 27, 2026
Merged

chore: switch npm publish to trusted publishers via OIDC#36
sriramveeraghanta merged 1 commit intomainfrom
chore/sdk-publishing-changes

Conversation

@Prashant-Surya
Copy link
Copy Markdown
Member

@Prashant-Surya Prashant-Surya commented Mar 27, 2026
edited by coderabbitai bot
Loading

Description

  • Use OIDC to publish npm package instead of using npm tokens

Type of Change

  • Feature (non-breaking change which adds functionality)

Summary by CodeRabbit

  • Chores
    • Updated package publishing workflow configuration to enhance security and reliability of the release process.

@Prashant-Surya @claude
chore: switch npm publish to trusted publishers via OIDC
18279b5 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 27, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1be641d8-5523-4f19-8fa2-fff24cecc5d1

📥 Commits

Reviewing files that changed from the base of the PR and between d7a4a2f and 18279b5.

📒 Files selected for processing (1)
  • .github/workflows/publish-node-sdk.yml
📝 Walkthrough

Walkthrough

The GitHub Actions workflow for Node.js SDK publishing now uses OIDC-based provenance instead of explicit token authentication. Workflow-level permissions for content writing and OIDC token access were added, while the publish step replaces direct NODE_AUTH_TOKEN injection with a --provenance flag to pnpm publish.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/publish-node-sdk.yml		 Added explicit contents: write and id-token: write permissions at workflow level. Removed explicit NODE_AUTH_TOKEN secret injection and added --provenance flag to pnpm publish command for OIDC-based provenance generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop! Hop! The workflow takes flight,
With OIDC tokens shining bright,
No secrets hidden, provenance clear,
The npm registry holds us dear! 🎉

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: switching npm publishing to use OIDC trusted publishers instead of traditional token-based authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/sdk-publishing-changes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sriramveeraghanta sriramveeraghanta merged commit 5cb562b into main Mar 27, 2026
2 checks passed
@sriramveeraghanta sriramveeraghanta deleted the chore/sdk-publishing-changes branch March 27, 2026 10:59
@coderabbitai coderabbitai bot mentioned this pull request Mar 27, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sriramveeraghanta sriramveeraghanta sriramveeraghanta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Prashant-Surya @sriramveeraghanta