publish_npm: use Trusted Publishing (OIDC) for auth, not NPM_TOKEN#700
Merged
Conversation
Trusted Publishing is now configured on npmjs.org for theengs-decoder (repo: theengs/decoder, workflow: publish_npm.yml). The v2.3.0 publish still returned 404 because: - Node 20 ships with npm 10.x, which only uses OIDC for provenance attestation. Authentication still relied on NODE_AUTH_TOKEN, and the NPM_TOKEN secret is no longer valid, so PUT was rejected. - Full OIDC auth for npm publish requires npm 11.5.1+. Upgrade npm to latest before publishing, and drop the NODE_AUTH_TOKEN env from the publish steps so the CLI uses the Trusted Publisher flow end-to-end. The NPM_TOKEN secret can be removed from the repo once this lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
theengs-decoder(repotheengs/decoder, workflowpublish_npm.yml).404 Not Found - PUT https://registry.npmjs.org/theengs-decodereven though the provenance statement was signed successfully. Two causes:NODE_AUTH_TOKEN. WithNPM_TOKENno longer valid (since Trusted Publishing replaced it), the PUT was unauthorized → 404.npm publishrequires npm 11.5.1+.NODE_AUTH_TOKENenv from the two publish steps so the CLI uses the Trusted Publisher flow end-to-end.NPM_TOKENsecret can be deleted from the repo.Test plan
Publish to npmviaworkflow_dispatchwith the version input set to2.3.0(or re-publish the v2.3.0 release) and confirm boththeengs-decoder@2.3.0andnode-red-contrib-theengs-decoder@2.3.0appear on npm with provenance.🤖 Generated with Claude Code