Describe the bug
When running npm stage publish inside a vp run script, the OIDC environment variables set by github action are not correctly forwarded to the npm binary. That results in npm skiping OIDC authentication and falling back to node token authentication.
Reproduction
see the steps to reproduce
Steps to reproduce
from a publish.yml file, as soon as you replace this :
- name: Working Publishing
env:
ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
run: npm run -w <MyPackageScope> release
- name: Failing Publishing
env:
ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
run: vp run release
the npm stage publish fails.
A silly log from npm clearly shows:
npm silly oidc Skipped because incorrect permissions for id-token within GitHub workflow
The main package.json script entry contains :
"scripts": {
"release": "npm run -w <MyPackageScope> release"
}
the final run command in the scoped package is
"scripts": {
"release": "npm stage publish --provenance"
}
System Info
Environment:
Version 24.18.0
Source engines.node
Source Path /home/runner/work/time-provider/time-provider/package.json
Project Root /home/runner/work/time-provider/time-provider
Tool Paths:
node /home/runner/.vite-plus/js_runtime/node/24.18.0/bin/node
npm /home/runner/.vite-plus/js_runtime/node/24.18.0/bin/npm
npx /home/runner/.vite-plus/js_runtime/node/24.18.0/bin/npx
Package Manager:
Name bun
Version 1.3.14
Source packageManager
Source Path /home/runner/work/time-provider/time-provider/package.json
Project Root /home/runner/work/time-provider/time-provider
Bin Path /home/runner/.vite-plus/package_manager/bun/1.3.14/bun/bin/bun
vp v0.2.4
Local vite-plus:
vite-plus v0.2.4
Tools:
vite v8.1.3
rolldown v1.1.4
vitest v4.1.10
oxfmt v0.57.0
oxlint v1.72.0
oxlint-tsgolint v0.24.0
tsdown v0.22.3
Environment:
Package manager bun v1.3.14
Node.js v24.18.0 (engines.node)
Used Package Manager
bun
Logs
Validations
Describe the bug
When running npm stage publish inside a vp run script, the OIDC environment variables set by github action are not correctly forwarded to the npm binary. That results in npm skiping OIDC authentication and falling back to node token authentication.
Reproduction
see the steps to reproduce
Steps to reproduce
from a publish.yml file, as soon as you replace this :
the npm stage publish fails.
A silly log from npm clearly shows:
npm silly oidc Skipped because incorrect permissions for id-token within GitHub workflowThe main package.json script entry contains :
the final run command in the scoped package is
System Info
Used Package Manager
bun
Logs
Validations