Skip to content

fix(ci): use npm trusted publishing (OIDC) instead of secret tokens#40

Merged
rhuanbarreto merged 2 commits into
mainfrom
fix/trusted-publishing
Mar 3, 2026
Merged

fix(ci): use npm trusted publishing (OIDC) instead of secret tokens#40
rhuanbarreto merged 2 commits into
mainfrom
fix/trusted-publishing

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • Replace NPM_TOKEN secret-based auth with OIDC trusted publishing in both release.yml and release-binaries.yml
  • Add id-token: write permission to release-binaries.yml for OIDC token exchange
  • Add --provenance flag to platform package npm publish commands
  • Replace npm-token input with NPM_CONFIG_PROVENANCE env var in release.yml
  • Add .mcp.json to .gitignore to prevent local MCP config from being committed

Before merging

Configure trusted publishers on npmjs.com for all 4 packages:

Package Workflow to trust
archgate release.yml
archgate-darwin-arm64 release-binaries.yml
archgate-linux-x64 release-binaries.yml
archgate-win32-x64 release-binaries.yml

For each: Settings → Publishing access → Add trusted publisher with owner archgate, repo cli, and the workflow filename above.

After verifying the first successful publish, the NPM_TOKEN secret can be removed from the repository.

Test plan

  • Configure trusted publishers on npmjs.com for all 4 packages
  • Merge and trigger a release to verify main package publishes via OIDC
  • Trigger release-binaries.yml to verify platform packages publish via OIDC
  • Verify provenance attestations appear on npmjs.com package pages
  • Remove NPM_TOKEN secret after successful verification

🤖 Generated with Claude Code

rhuanbarreto and others added 2 commits March 3, 2026 21:49
Replace NPM_TOKEN-based authentication with OIDC trusted publishing
for both release workflows, improving supply chain security.

- release-binaries.yml: add id-token: write, use --provenance, remove NODE_AUTH_TOKEN
- release.yml: remove npm-token input, add NPM_CONFIG_PROVENANCE env var

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevent local MCP server config from being committed to the repo.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rhuanbarreto rhuanbarreto merged commit 786711f into main Mar 3, 2026
6 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/trusted-publishing branch March 3, 2026 20:52
@archgatebot archgatebot Bot mentioned this pull request Mar 3, 2026
rhuanbarreto added a commit that referenced this pull request Mar 3, 2026
)

* fix(ci): use npm trusted publishing (OIDC) instead of secret tokens

Replace NPM_TOKEN-based authentication with OIDC trusted publishing
for both release workflows, improving supply chain security.

- release-binaries.yml: add id-token: write, use --provenance, remove NODE_AUTH_TOKEN
- release.yml: remove npm-token input, add NPM_CONFIG_PROVENANCE env var

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add .mcp.json to .gitignore

Prevent local MCP server config from being committed to the repo.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
rhuanbarreto added a commit that referenced this pull request Mar 4, 2026
)

* fix(ci): use npm trusted publishing (OIDC) instead of secret tokens

Replace NPM_TOKEN-based authentication with OIDC trusted publishing
for both release workflows, improving supply chain security.

- release-binaries.yml: add id-token: write, use --provenance, remove NODE_AUTH_TOKEN
- release.yml: remove npm-token input, add NPM_CONFIG_PROVENANCE env var

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add .mcp.json to .gitignore

Prevent local MCP server config from being committed to the repo.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant