From b0908758e44a3880b87052db783b632a729d6abe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:31:03 +0000 Subject: [PATCH 01/15] Initial plan From dfc263890f4c847f263c7a351b75acf9e606d946 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:34:34 +0000 Subject: [PATCH 02/15] Replace npm token auth with OIDC trusted publishing Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com> --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d899cf3..8bd9ebf2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: CI permissions: contents: write pull-requests: write + id-token: write on: push: branches: @@ -74,6 +75,7 @@ jobs: - uses: actions/setup-node@v6 with: node-version: 20.x + registry-url: 'https://registry.npmjs.org' - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' @@ -82,7 +84,6 @@ jobs: - uses: JS-DevTools/npm-publish@v4.1.2 if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' with: - token: ${{ secrets.NPM_TOKEN }} tag: ${{ env.GITHUB_REF_SLUG }} npm-publish-latest: @@ -96,10 +97,10 @@ jobs: - uses: actions/setup-node@v6 with: node-version: 20.x + registry-url: 'https://registry.npmjs.org' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - uses: JS-DevTools/npm-publish@v4.1.2 if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' with: - token: ${{ secrets.NPM_TOKEN }} tag: latest From c737309b2d134f81e2261b40f9e50d31b80a7728 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:36:07 +0000 Subject: [PATCH 03/15] Fix trailing whitespace in ci.yml Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8bd9ebf2..3c54ff20 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,6 +101,6 @@ jobs: - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - uses: JS-DevTools/npm-publish@v4.1.2 - if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' with: tag: latest From e7878f992b3685f03ce74c650ab76812edae2583 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:57:53 +0000 Subject: [PATCH 04/15] Use npm CLI directly instead of JS-DevTools action Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com> --- .github/workflows/ci.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c54ff20..049faec1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,7 @@ jobs: npm-publish-build: needs: build runs-on: ubuntu-latest + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' steps: - uses: actions/download-artifact@v7 with: @@ -76,20 +77,19 @@ jobs: with: node-version: 20.x registry-url: 'https://registry.npmjs.org' + - run: npm i -g npm@latest - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - - uses: JS-DevTools/npm-publish@v4.1.2 - if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' - with: - tag: ${{ env.GITHUB_REF_SLUG }} + - name: Publish to npm + run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} npm-publish-latest: needs: [build, npm-publish-build] runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' steps: - uses: actions/download-artifact@v7 with: @@ -98,9 +98,8 @@ jobs: with: node-version: 20.x registry-url: 'https://registry.npmjs.org' + - run: npm i -g npm@latest - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - - uses: JS-DevTools/npm-publish@v4.1.2 - if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' - with: - tag: latest + - name: Publish to npm + run: npm publish --tag latest From af3d10a5abfed571e7f11003e5a13b91709c6349 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:59:50 +0000 Subject: [PATCH 05/15] Pin npm version to ^11.5.1 for OIDC support Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 049faec1..88ed9473 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,7 +77,7 @@ jobs: with: node-version: 20.x registry-url: 'https://registry.npmjs.org' - - run: npm i -g npm@latest + - run: npm i -g npm@^11.5.1 - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' @@ -98,7 +98,7 @@ jobs: with: node-version: 20.x registry-url: 'https://registry.npmjs.org' - - run: npm i -g npm@latest + - run: npm i -g npm@^11.5.1 - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - name: Publish to npm From 6b3bb08c5c3eb85e25e348f3f2a544ab0b12f39a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 14:24:21 +0000 Subject: [PATCH 06/15] Use Node.js 22 from setup-node instead of npm install Co-authored-by: jeswr <63333554+jeswr@users.noreply.github.com> --- .github/workflows/ci.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 88ed9473..be4fa7ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,9 +75,8 @@ jobs: name: build - uses: actions/setup-node@v6 with: - node-version: 20.x + node-version: 22.x registry-url: 'https://registry.npmjs.org' - - run: npm i -g npm@^11.5.1 - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' @@ -96,9 +95,8 @@ jobs: name: build - uses: actions/setup-node@v6 with: - node-version: 20.x + node-version: 22.x registry-url: 'https://registry.npmjs.org' - - run: npm i -g npm@^11.5.1 - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - name: Publish to npm From cbff3cf9286f711410f09fe3107b85f5954af9ee Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Tue, 6 Jan 2026 17:04:39 +0000 Subject: [PATCH 07/15] Add Node.js 24.x to CI workflow --- .github/workflows/ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be4fa7ac..08090658 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,7 @@ jobs: node-version: - 20.x - 22.x + - 24.x steps: - uses: actions/checkout@v6 - name: Use Node.js ${{ matrix.node-version }} @@ -31,7 +32,7 @@ jobs: - run: npm run build - run: npm run doc - name: Save build - if: matrix.node-version == '20.x' + if: matrix.node-version == '24.x' uses: actions/upload-artifact@v6 with: name: build @@ -75,7 +76,7 @@ jobs: name: build - uses: actions/setup-node@v6 with: - node-version: 22.x + node-version: 24.x registry-url: 'https://registry.npmjs.org' - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version @@ -95,9 +96,9 @@ jobs: name: build - uses: actions/setup-node@v6 with: - node-version: 22.x + node-version: 24.x registry-url: 'https://registry.npmjs.org' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - name: Publish to npm - run: npm publish --tag latest + run: npm publish From 1dfb900b7ef7fe788beb131a97b0fd210387df19 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Tue, 6 Jan 2026 23:56:19 +0000 Subject: [PATCH 08/15] Update package.json --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 8fe98c32..10580d82 100644 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ }, "repository": { "type": "git", - "url": "git+https://github.com/solidos/solid-ui.git" + "url": "https://github.com/solidos/solid-ui" }, "keywords": [ "solid", From dbbf23db1c5839beda9b88b407199d0febc80004 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 7 Jan 2026 00:04:00 +0000 Subject: [PATCH 09/15] Check npm version check before publishing --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08090658..70d75d34 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -100,5 +100,7 @@ jobs: registry-url: 'https://registry.npmjs.org' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' + - name: Check npm version + run: npm --version - name: Publish to npm run: npm publish From 74d44c4184c829176f17fe87b02225d0a2f6174d Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Wed, 7 Jan 2026 00:04:45 +0000 Subject: [PATCH 10/15] Add npm version check to CI workflow --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 70d75d34..9efd9dee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,6 +83,8 @@ jobs: run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' + - name: Check npm version + run: npm --version - name: Publish to npm run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} From 7ef6381221799222f423a390a09269d2a4289039 Mon Sep 17 00:00:00 2001 From: Precious Oritsedere Date: Tue, 13 Jan 2026 10:12:45 +0000 Subject: [PATCH 11/15] update workflow for npm trusted publishing --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9efd9dee..f3b6aee5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,6 +70,9 @@ jobs: needs: build runs-on: ubuntu-latest if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + id-token: write # Required for OIDC trusted publishing + contents: read steps: - uses: actions/download-artifact@v7 with: @@ -92,6 +95,9 @@ jobs: needs: [build, npm-publish-build] runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + id-token: write # Required for OIDC trusted publishing + contents: read steps: - uses: actions/download-artifact@v7 with: From 5579241668c47630733d4345e9c653a126f4a529 Mon Sep 17 00:00:00 2001 From: Precious Oritsedere Date: Tue, 13 Jan 2026 10:43:46 +0000 Subject: [PATCH 12/15] added a dry-run publish step to verify OIDC authentication on PRs before merging --- .github/workflows/ci.yml | 120 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 116 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3b6aee5..93ac7d5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,14 +81,76 @@ jobs: with: node-version: 24.x registry-url: 'https://registry.npmjs.org' + # OIDC will be used automatically when id-token: write is set + # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - - name: Check npm version - run: npm --version + - name: Verify OIDC authentication + run: | + echo "Workflow name: ${{ github.workflow }}" + echo "Workflow file: ${{ github.workflow_ref }}" + echo "Repository: ${{ github.repository }}" + echo "Ref: ${{ github.ref }}" + echo "Actor: ${{ github.actor }}" + echo "Event name: ${{ github.event_name }}" + # Ensure no NODE_AUTH_TOKEN is set + if [ -n "$NODE_AUTH_TOKEN" ]; then + echo "WARNING: NODE_AUTH_TOKEN is set, which will prevent OIDC from working" + exit 1 + fi + # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) + if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then + echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" + else + echo "✓ OIDC token request token is available" + fi + - name: Check npm and Node versions + run: | + echo "Node version: $(node --version)" + echo "npm version: $(npm --version)" + # Ensure npm is at least 10.0.0 for OIDC support + npm_version=$(npm --version | cut -d. -f1) + if [ "$npm_version" -lt 10 ]; then + echo "WARNING: npm version is less than 10.0.0, OIDC may not work properly" + fi + - name: Verify npm configuration before publish + run: | + echo "=== npm configuration ===" + npm config list + echo "" + echo "=== Checking for .npmrc ===" + if [ -f .npmrc ]; then + echo "Found .npmrc:" + cat .npmrc + # Check if it contains token auth (should not for OIDC) + if grep -q "_authToken" .npmrc; then + echo "WARNING: .npmrc contains _authToken - this will prevent OIDC" + echo "Removing token configuration..." + sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true + sed -i '/^_authToken/d' .npmrc || true + fi + else + echo "No .npmrc file found (this is expected for OIDC)" + fi + echo "" + echo "=== Environment variables ===" + env | grep -i "npm\|node" || echo "No npm/node env vars found" + - name: Test npm publish (dry-run) - PRs only + if: github.event_name == 'pull_request' + run: | + echo "Testing npm publish authentication with dry-run..." + echo "This verifies OIDC authentication works without actually publishing" + npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || { + echo "ERROR: npm publish dry-run failed" + echo "This indicates OIDC authentication is not working correctly" + exit 1 + } + echo "✓ npm publish dry-run succeeded - OIDC authentication is working!" - name: Publish to npm + if: github.event_name != 'pull_request' run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} npm-publish-latest: @@ -106,9 +168,59 @@ jobs: with: node-version: 24.x registry-url: 'https://registry.npmjs.org' + # OIDC will be used automatically when id-token: write is set + # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead + - name: Verify OIDC authentication + run: | + echo "Workflow name: ${{ github.workflow }}" + echo "Workflow file: ${{ github.workflow_ref }}" + echo "Repository: ${{ github.repository }}" + echo "Ref: ${{ github.ref }}" + echo "Actor: ${{ github.actor }}" + echo "Event name: ${{ github.event_name }}" + # Ensure no NODE_AUTH_TOKEN is set + if [ -n "$NODE_AUTH_TOKEN" ]; then + echo "WARNING: NODE_AUTH_TOKEN is set, which will prevent OIDC from working" + exit 1 + fi + # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) + if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then + echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" + else + echo "✓ OIDC token request token is available" + fi - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - - name: Check npm version - run: npm --version + - name: Check npm and Node versions + run: | + echo "Node version: $(node --version)" + echo "npm version: $(npm --version)" + # Ensure npm is at least 10.0.0 for OIDC support + npm_version=$(npm --version | cut -d. -f1) + if [ "$npm_version" -lt 10 ]; then + echo "WARNING: npm version is less than 10.0.0, OIDC may not work properly" + fi + - name: Verify npm configuration before publish + run: | + echo "=== npm configuration ===" + npm config list + echo "" + echo "=== Checking for .npmrc ===" + if [ -f .npmrc ]; then + echo "Found .npmrc:" + cat .npmrc + # Check if it contains token auth (should not for OIDC) + if grep -q "_authToken" .npmrc; then + echo "WARNING: .npmrc contains _authToken - this will prevent OIDC" + echo "Removing token configuration..." + sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true + sed -i '/^_authToken/d' .npmrc || true + fi + else + echo "No .npmrc file found (this is expected for OIDC)" + fi + echo "" + echo "=== Environment variables ===" + env | grep -i "npm\|node" || echo "No npm/node env vars found" - name: Publish to npm run: npm publish From 40beb81d752e80d250451f4acd52e3ff2c095f9c Mon Sep 17 00:00:00 2001 From: Precious Oritsedere Date: Tue, 13 Jan 2026 10:55:26 +0000 Subject: [PATCH 13/15] What I've updated in the workflow Added steps to clear npm token configuration Changed the verification to warn instead of fail (so you can see the issue) Added instructions in the logs about removing the secret --- .github/workflows/ci.yml | 56 +++++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 93ac7d5d..7e0e7646 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,6 +83,22 @@ jobs: registry-url: 'https://registry.npmjs.org' # OIDC will be used automatically when id-token: write is set # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead + - name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC + run: | + # Remove any .npmrc file that might contain token auth + if [ -f "$HOME/.npmrc" ]; then + echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." + if grep -q "_authToken" "$HOME/.npmrc"; then + echo "Removing token auth from .npmrc..." + sed -i '/_authToken/d' "$HOME/.npmrc" || true + fi + fi + # Clear npm config token settings + npm config delete //registry.npmjs.org/:_authToken || true + npm config delete _authToken || true + # Note: NODE_AUTH_TOKEN env var from secrets will still be available + # but npm should prefer OIDC when configured correctly + echo "Cleared npm token configuration" - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' @@ -96,10 +112,16 @@ jobs: echo "Ref: ${{ github.ref }}" echo "Actor: ${{ github.actor }}" echo "Event name: ${{ github.event_name }}" - # Ensure no NODE_AUTH_TOKEN is set + # Check if NODE_AUTH_TOKEN is set (from repository secrets) if [ -n "$NODE_AUTH_TOKEN" ]; then - echo "WARNING: NODE_AUTH_TOKEN is set, which will prevent OIDC from working" - exit 1 + echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" + echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" + echo "from repository Settings > Secrets and variables > Actions" + echo "" + echo "For now, we'll try to work around it by clearing npm config..." + # Don't exit - try to work around it + else + echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" fi # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then @@ -170,6 +192,22 @@ jobs: registry-url: 'https://registry.npmjs.org' # OIDC will be used automatically when id-token: write is set # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead + - name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC + run: | + # Remove any .npmrc file that might contain token auth + if [ -f "$HOME/.npmrc" ]; then + echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." + if grep -q "_authToken" "$HOME/.npmrc"; then + echo "Removing token auth from .npmrc..." + sed -i '/_authToken/d' "$HOME/.npmrc" || true + fi + fi + # Clear npm config token settings + npm config delete //registry.npmjs.org/:_authToken || true + npm config delete _authToken || true + # Note: NODE_AUTH_TOKEN env var from secrets will still be available + # but npm should prefer OIDC when configured correctly + echo "Cleared npm token configuration" - name: Verify OIDC authentication run: | echo "Workflow name: ${{ github.workflow }}" @@ -178,10 +216,16 @@ jobs: echo "Ref: ${{ github.ref }}" echo "Actor: ${{ github.actor }}" echo "Event name: ${{ github.event_name }}" - # Ensure no NODE_AUTH_TOKEN is set + # Check if NODE_AUTH_TOKEN is set (from repository secrets) if [ -n "$NODE_AUTH_TOKEN" ]; then - echo "WARNING: NODE_AUTH_TOKEN is set, which will prevent OIDC from working" - exit 1 + echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" + echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" + echo "from repository Settings > Secrets and variables > Actions" + echo "" + echo "For now, we'll try to work around it by clearing npm config..." + # Don't exit - try to work around it + else + echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" fi # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then From 727190e6a62ae2c5c31f411f208aa80aabc4a24e Mon Sep 17 00:00:00 2001 From: Precious Oritsedere Date: Tue, 13 Jan 2026 13:45:56 +0000 Subject: [PATCH 14/15] - Created reusable scripts (addressing duplication) - Addressed dry-run comment --- .github/scripts/clear-npm-token.sh | 29 ++++++ .github/scripts/verify-oidc.sh | 72 +++++++++++++ .github/workflows/ci.yml | 157 ++--------------------------- 3 files changed, 111 insertions(+), 147 deletions(-) create mode 100755 .github/scripts/clear-npm-token.sh create mode 100755 .github/scripts/verify-oidc.sh diff --git a/.github/scripts/clear-npm-token.sh b/.github/scripts/clear-npm-token.sh new file mode 100755 index 00000000..d4357910 --- /dev/null +++ b/.github/scripts/clear-npm-token.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Clear npm token configuration to ensure OIDC is used instead +# This script removes any token-based authentication from npm config +# Note: We use '|| true' for commands that may fail if config doesn't exist + +echo "Clearing npm token configuration to force OIDC usage..." + +# Remove any .npmrc file that might contain token auth +if [ -f "$HOME/.npmrc" ]; then + echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." + if grep -q "_authToken" "$HOME/.npmrc"; then + echo "Removing token auth from .npmrc..." + sed -i '/_authToken/d' "$HOME/.npmrc" || true + fi +fi + +# Clear npm config token settings +npm config delete //registry.npmjs.org/:_authToken || true +npm config delete _authToken || true + +# Note: If NODE_AUTH_TOKEN secret exists in repository, it should be removed +# from Settings > Secrets and variables > Actions to allow OIDC to work properly +if [ -n "$NODE_AUTH_TOKEN" ]; then + echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" + echo "This may prevent OIDC from working. Consider removing it from" + echo "repository Settings > Secrets and variables > Actions" +fi + +echo "✓ Cleared npm token configuration" diff --git a/.github/scripts/verify-oidc.sh b/.github/scripts/verify-oidc.sh new file mode 100755 index 00000000..19481d24 --- /dev/null +++ b/.github/scripts/verify-oidc.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# Verify OIDC authentication setup for npm trusted publishing +# This script checks that all prerequisites for OIDC are met +# Note: We don't use 'set -e' here so we can continue checking even if some conditions fail + +echo "=== Verifying OIDC Authentication Setup ===" +echo "" +echo "Workflow name: ${GITHUB_WORKFLOW:-unknown}" +echo "Workflow file: ${GITHUB_WORKFLOW_REF:-unknown}" +echo "Repository: ${GITHUB_REPOSITORY:-unknown}" +echo "Ref: ${GITHUB_REF:-unknown}" +echo "Actor: ${GITHUB_ACTOR:-unknown}" +echo "Event name: ${GITHUB_EVENT_NAME:-unknown}" +echo "" + +# Check if NODE_AUTH_TOKEN is set (from repository secrets) +if [ -n "$NODE_AUTH_TOKEN" ]; then + echo "⚠️ WARNING: NODE_AUTH_TOKEN secret is configured in repository" + echo " This may prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" + echo " from repository Settings > Secrets and variables > Actions" + echo "" +else + echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" +fi + +# Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) +if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then + echo "⚠️ WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" + echo " Ensure the workflow has 'id-token: write' permission" +else + echo "✓ OIDC token request token is available" +fi + +echo "" +echo "=== Node.js and npm Versions ===" +echo "Node version: $(node --version)" +echo "npm version: $(npm --version)" + +# Ensure npm is at least 10.0.0 for OIDC support +npm_version=$(npm --version | cut -d. -f1) +if [ "$npm_version" -lt 10 ]; then + echo "⚠️ WARNING: npm version is less than 10.0.0, OIDC may not work properly" +else + echo "✓ npm version supports OIDC (10.0.0+)" +fi + +echo "" +echo "=== npm Configuration ===" +npm config list + +echo "" +echo "=== Checking for .npmrc ===" +if [ -f .npmrc ]; then + echo "Found .npmrc in current directory:" + cat .npmrc + # Check if it contains token auth (should not for OIDC) + if grep -q "_authToken" .npmrc; then + echo "⚠️ WARNING: .npmrc contains _authToken - this will prevent OIDC" + echo "Removing token configuration..." + sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true + sed -i '/^_authToken/d' .npmrc || true + fi +else + echo "No .npmrc file found in current directory (this is expected for OIDC)" +fi + +echo "" +echo "=== Environment Variables ===" +env | grep -i "npm\|node" || echo "No npm/node env vars found" + +echo "" +echo "=== OIDC Verification Complete ===" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7e0e7646..4720564d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,90 +81,21 @@ jobs: with: node-version: 24.x registry-url: 'https://registry.npmjs.org' - # OIDC will be used automatically when id-token: write is set - # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead - - name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC - run: | - # Remove any .npmrc file that might contain token auth - if [ -f "$HOME/.npmrc" ]; then - echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." - if grep -q "_authToken" "$HOME/.npmrc"; then - echo "Removing token auth from .npmrc..." - sed -i '/_authToken/d' "$HOME/.npmrc" || true - fi - fi - # Clear npm config token settings - npm config delete //registry.npmjs.org/:_authToken || true - npm config delete _authToken || true - # Note: NODE_AUTH_TOKEN env var from secrets will still be available - # but npm should prefer OIDC when configured correctly - echo "Cleared npm token configuration" + - name: Clear npm token configuration + run: bash .github/scripts/clear-npm-token.sh - uses: rlespinasse/github-slug-action@v4.x - name: Append commit hash to package version run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json' - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - name: Verify OIDC authentication - run: | - echo "Workflow name: ${{ github.workflow }}" - echo "Workflow file: ${{ github.workflow_ref }}" - echo "Repository: ${{ github.repository }}" - echo "Ref: ${{ github.ref }}" - echo "Actor: ${{ github.actor }}" - echo "Event name: ${{ github.event_name }}" - # Check if NODE_AUTH_TOKEN is set (from repository secrets) - if [ -n "$NODE_AUTH_TOKEN" ]; then - echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" - echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" - echo "from repository Settings > Secrets and variables > Actions" - echo "" - echo "For now, we'll try to work around it by clearing npm config..." - # Don't exit - try to work around it - else - echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" - fi - # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) - if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then - echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" - else - echo "✓ OIDC token request token is available" - fi - - name: Check npm and Node versions - run: | - echo "Node version: $(node --version)" - echo "npm version: $(npm --version)" - # Ensure npm is at least 10.0.0 for OIDC support - npm_version=$(npm --version | cut -d. -f1) - if [ "$npm_version" -lt 10 ]; then - echo "WARNING: npm version is less than 10.0.0, OIDC may not work properly" - fi - - name: Verify npm configuration before publish - run: | - echo "=== npm configuration ===" - npm config list - echo "" - echo "=== Checking for .npmrc ===" - if [ -f .npmrc ]; then - echo "Found .npmrc:" - cat .npmrc - # Check if it contains token auth (should not for OIDC) - if grep -q "_authToken" .npmrc; then - echo "WARNING: .npmrc contains _authToken - this will prevent OIDC" - echo "Removing token configuration..." - sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true - sed -i '/^_authToken/d' .npmrc || true - fi - else - echo "No .npmrc file found (this is expected for OIDC)" - fi - echo "" - echo "=== Environment variables ===" - env | grep -i "npm\|node" || echo "No npm/node env vars found" + run: bash .github/scripts/verify-oidc.sh - name: Test npm publish (dry-run) - PRs only if: github.event_name == 'pull_request' run: | echo "Testing npm publish authentication with dry-run..." - echo "This verifies OIDC authentication works without actually publishing" + echo "Note: OIDC tokens ARE available for pull_request events when the workflow" + echo "has 'id-token: write' permission, allowing us to verify authentication." npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || { echo "ERROR: npm publish dry-run failed" echo "This indicates OIDC authentication is not working correctly" @@ -191,80 +122,12 @@ jobs: node-version: 24.x registry-url: 'https://registry.npmjs.org' # OIDC will be used automatically when id-token: write is set - # Do not provide NODE_AUTH_TOKEN - OIDC will be used instead - - name: Clear NODE_AUTH_TOKEN and npm token config to force OIDC - run: | - # Remove any .npmrc file that might contain token auth - if [ -f "$HOME/.npmrc" ]; then - echo "Found .npmrc at $HOME/.npmrc, checking for token auth..." - if grep -q "_authToken" "$HOME/.npmrc"; then - echo "Removing token auth from .npmrc..." - sed -i '/_authToken/d' "$HOME/.npmrc" || true - fi - fi - # Clear npm config token settings - npm config delete //registry.npmjs.org/:_authToken || true - npm config delete _authToken || true - # Note: NODE_AUTH_TOKEN env var from secrets will still be available - # but npm should prefer OIDC when configured correctly - echo "Cleared npm token configuration" - - name: Verify OIDC authentication - run: | - echo "Workflow name: ${{ github.workflow }}" - echo "Workflow file: ${{ github.workflow_ref }}" - echo "Repository: ${{ github.repository }}" - echo "Ref: ${{ github.ref }}" - echo "Actor: ${{ github.actor }}" - echo "Event name: ${{ github.event_name }}" - # Check if NODE_AUTH_TOKEN is set (from repository secrets) - if [ -n "$NODE_AUTH_TOKEN" ]; then - echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository" - echo "This will prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret" - echo "from repository Settings > Secrets and variables > Actions" - echo "" - echo "For now, we'll try to work around it by clearing npm config..." - # Don't exit - try to work around it - else - echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)" - fi - # Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC) - if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then - echo "WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work" - else - echo "✓ OIDC token request token is available" - fi + + - name: Clear npm token configuration + run: bash .github/scripts/clear-npm-token.sh - name: Disable pre- and post-publish actions run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json' - - name: Check npm and Node versions - run: | - echo "Node version: $(node --version)" - echo "npm version: $(npm --version)" - # Ensure npm is at least 10.0.0 for OIDC support - npm_version=$(npm --version | cut -d. -f1) - if [ "$npm_version" -lt 10 ]; then - echo "WARNING: npm version is less than 10.0.0, OIDC may not work properly" - fi - - name: Verify npm configuration before publish - run: | - echo "=== npm configuration ===" - npm config list - echo "" - echo "=== Checking for .npmrc ===" - if [ -f .npmrc ]; then - echo "Found .npmrc:" - cat .npmrc - # Check if it contains token auth (should not for OIDC) - if grep -q "_authToken" .npmrc; then - echo "WARNING: .npmrc contains _authToken - this will prevent OIDC" - echo "Removing token configuration..." - sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true - sed -i '/^_authToken/d' .npmrc || true - fi - else - echo "No .npmrc file found (this is expected for OIDC)" - fi - echo "" - echo "=== Environment variables ===" - env | grep -i "npm\|node" || echo "No npm/node env vars found" + - name: Verify OIDC authentication + run: bash .github/scripts/verify-oidc.sh - name: Publish to npm run: npm publish From 10d1bef7f5bcae8a976bdac27f52dce183dfb25d Mon Sep 17 00:00:00 2001 From: Precious Oritsedere Date: Tue, 13 Jan 2026 15:15:25 +0000 Subject: [PATCH 15/15] - Added script verification ste - Added --access public flag --- .github/workflows/ci.yml | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4720564d..cb72fecd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -74,13 +74,26 @@ jobs: id-token: write # Required for OIDC trusted publishing contents: read steps: + - uses: actions/checkout@v6 - uses: actions/download-artifact@v7 with: name: build + path: . + merge-multiple: true - uses: actions/setup-node@v6 with: node-version: 24.x registry-url: 'https://registry.npmjs.org' + - name: Verify scripts are available + run: | + if [ ! -f .github/scripts/clear-npm-token.sh ]; then + echo "ERROR: Script not found. Listing .github directory:" + ls -la .github/ || echo ".github directory not found" + ls -la .github/scripts/ || echo ".github/scripts directory not found" + exit 1 + fi + chmod +x .github/scripts/*.sh + echo "✓ Scripts are available and executable" - name: Clear npm token configuration run: bash .github/scripts/clear-npm-token.sh - uses: rlespinasse/github-slug-action@v4.x @@ -96,7 +109,7 @@ jobs: echo "Testing npm publish authentication with dry-run..." echo "Note: OIDC tokens ARE available for pull_request events when the workflow" echo "has 'id-token: write' permission, allowing us to verify authentication." - npm publish --dry-run --tag ${{ env.GITHUB_REF_SLUG }} || { + npm publish --dry-run --access public --tag ${{ env.GITHUB_REF_SLUG }} || { echo "ERROR: npm publish dry-run failed" echo "This indicates OIDC authentication is not working correctly" exit 1 @@ -104,7 +117,7 @@ jobs: echo "✓ npm publish dry-run succeeded - OIDC authentication is working!" - name: Publish to npm if: github.event_name != 'pull_request' - run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} + run: npm publish --access public --tag ${{ env.GITHUB_REF_SLUG }} npm-publish-latest: needs: [build, npm-publish-build] @@ -114,15 +127,27 @@ jobs: id-token: write # Required for OIDC trusted publishing contents: read steps: + - uses: actions/checkout@v6 - uses: actions/download-artifact@v7 with: name: build + path: . + merge-multiple: true - uses: actions/setup-node@v6 with: node-version: 24.x registry-url: 'https://registry.npmjs.org' # OIDC will be used automatically when id-token: write is set - + - name: Verify scripts are available + run: | + if [ ! -f .github/scripts/clear-npm-token.sh ]; then + echo "ERROR: Script not found. Listing .github directory:" + ls -la .github/ || echo ".github directory not found" + ls -la .github/scripts/ || echo ".github/scripts directory not found" + exit 1 + fi + chmod +x .github/scripts/*.sh + echo "✓ Scripts are available and executable" - name: Clear npm token configuration run: bash .github/scripts/clear-npm-token.sh - name: Disable pre- and post-publish actions @@ -130,4 +155,4 @@ jobs: - name: Verify OIDC authentication run: bash .github/scripts/verify-oidc.sh - name: Publish to npm - run: npm publish + run: npm publish --access public