npm: migrate to trusted-publishers/oidc token #123
Description
Is there an existing issue for this item?
- I have searched the existing issues
Repositories
LizardByte/contribkit, LizardByte/shared-web, LizardByte/gamepad-helper
Languages/Skills/Technologies
GitHub actions, Bash/Shell/Scripting
Description
npm is removing the ability to use long lived tokens (https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/); however they have added a trusted publishers option (similar to PyPi) that allows publishing from trusted GitHub workflows.
I have already made the required changes on npmjs, so no publishing will occur until the changes are made on the GitHub side.
We should also change the publishing to occur when a release is published instead of on every push event.
For each repo:
- move publishing to separate on release event workflow... can probably live in .github and be called to make updates easier
- update permissions in publish workflow - https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
- update workflow name in npmjs
- remove npm token secret from org
- delete token from npmjs
Estimated Effort
effort:Medium
Priority
priority:Critical
Target Milestone
1-3 months
Dependencies
No response
Metadata
Metadata
Assignees
Type
Projects
Status