Skip to content

Trusted Publisher: GitLab CI/CD namespace field docs unclear for nested subgroups, UI accepts invalid config silently #1901

@gecube

Description

@gecube

Summary

When configuring a Trusted Publisher for GitLab CI/CD on npmjs.com, the "Namespace" field is described as "Your
GitLab username or group name." For projects nested under subgroups (e.g., gitlab.com/org/sub1/sub2/project),
it's unclear that the full subgroup path must be entered as the namespace. The UI accepts an incorrect split
between namespace and project without validation, resulting in a confusing 404 error during OIDC token exchange
at publish time.

Steps to Reproduce

  1. Have a GitLab project at a nested path: gitlab.com/conbo_harbour/apps/storybook/storybook.components
  2. Go to npmjs.com → package → Settings → Trusted Publishers → Add GitLab CI/CD
  3. Enter conbo_harbour as Namespace and apps/storybook/storybook.components as Project (this seems logical —
    top-level group as namespace, rest as project path)
  4. The UI accepts this without any warning
  5. Run npm publish --provenance from GitLab CI with a valid NPM_ID_TOKEN

Expected Behavior

Either:

  • The UI should validate or hint that namespace must be the full group path including subgroups (i.e.,
    conbo_harbour/apps/storybook) and project must be only the project name (storybook.components)
  • Or the documentation should clearly explain this with a subgroup example

Actual Behavior

npm publish fails with:

POST 404 https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/@conboai%2fstorybook.components
OIDC token exchange error - package not found
npm error code ENEEDAUTH

This is because GitLab's OIDC token contains namespace_path: conbo_harbour/apps/storybook, which doesn't match
the configured namespace conbo_harbour.

Correct Configuration

For a project at gitlab.com/conbo_harbour/apps/storybook/storybook.components:

  ┌───────────┬──────────────────────────────┐
  │   Field   │        Correct value         │
  ├───────────┼──────────────────────────────┤
  │ Namespace │ conbo_harbour/apps/storybook │
  ├───────────┼──────────────────────────────┤
  │ Project   │ storybook.components         │
  └───────────┴──────────────────────────────┘

Suggestions

  1. Update the Namespace field description from "Your GitLab username or group name" to "Your full GitLab group
    path, including subgroups (e.g., my-org/team/sub-team)"
  2. Add a nested subgroup example to the https://docs.npmjs.com/trusted-publishers/
  3. Ideally, validate the namespace/project combination against GitLab's OIDC claim format before saving

Environment

  • GitLab.com shared runners
  • GitLab project path: conbo_harbour/apps/storybook/storybook.components

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions