Use OIDC publishing for abis and solidity packages#11695
Use OIDC publishing for abis and solidity packages#11695alvarof2 wants to merge 8 commits intorelease/core-contracts/17from
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Free Tier Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
Bugbot Autofix is kicking off a free cloud agent to fix these issues. This run is complimentary, but you can enable autofix for all future PRs in the Cursor dashboard.
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '18.x' | ||
| node-version: '20.x' |
There was a problem hiding this comment.
Node.js 20.x doesn't meet OIDC minimum version requirement
High Severity
npm OIDC trusted publishing requires Node.js 22.14.0 or higher, but node-version is set to '20.x'. The version was upgraded from 18.x to 20.x, but that's still insufficient for trusted publishing. Both npm publish steps will fail authentication because the OIDC token exchange mechanism is not available on Node.js 20.
| run: echo "COMMIT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | ||
|
|
||
| - name: Update npm for OIDC trusted publishing (v11.5.1) | ||
| run: npm install -g npm@11.5.1 |
There was a problem hiding this comment.
OIDC trusted publishing unsupported on self-hosted runners
High Severity
npm OIDC trusted publishing currently only supports GitHub-hosted runners, not self-hosted ones. This job uses runs-on: ['self-hosted', 'org', 'npm-publish']. The npm registry will reject the OIDC token from a self-hosted runner because it verifies the runner_environment claim. The old token-based auth that worked on self-hosted runners has been removed.
| uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest | ||
| with: | ||
| api-url: https://api.gateway.akeyless.celo-networks-dev.org | ||
| access-id: p-kf9vjzruht6l |
There was a problem hiding this comment.
setup-node registry-url creates .npmrc conflicting with OIDC
Medium Severity
The actions/setup-node step with registry-url generates an .npmrc file containing //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. Since NODE_AUTH_TOKEN was removed from the env vars, this resolves to empty, which can prevent npm from falling through to OIDC authentication — a known issue tracked in actions/setup-node#1440.
|
|
||
| - name: Update npm for OIDC trusted publishing (v11.5.1) | ||
| run: npm install -g npm@11.5.1 | ||
|
|
There was a problem hiding this comment.
OIDC trusted publishing doesn't authenticate npm dist-tag add
High Severity
npm OIDC trusted publishing only authenticates the npm publish command. The npm dist-tag add calls at lines 110 and 127 will fail with auth errors because OIDC doesn't cover that command (tracked as npm/cli#8547). Previously, NODE_AUTH_TOKEN provided a persistent token that worked for both operations. After a successful publish, the step will error out on dist-tag add, leaving packages published but untagged with the commit hash.
Additional Locations (1)
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d176e1b46e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env: | ||
| RELEASE_TYPE: --tag ${{ env.RELEASE_TYPE != '' && env.RELEASE_TYPE || 'canary' }} | ||
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | ||
| NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }} | ||
| DRY_RUN: ${{ env.RELEASE_VERSION == '' && '--dry-run' || '' }} | ||
| COMMIT_HASH: ${{ env.COMMIT_HASH }} |
There was a problem hiding this comment.
This change removes NODE_AUTH_TOKEN from the publish step env while still running npm dist-tag add in non-dry-run releases, so the tag update now runs without explicit npm credentials. In this workflow that path is taken whenever RELEASE_VERSION is set, and npm dist-tag is a registry write operation (npm dist-tag --help: add, rm, ls) that fails unauthenticated (403/ENEEDAUTH), which would make release jobs fail after publishing and skip the commit-hash dist-tagging.
Useful? React with 👍 / 👎.
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
|
Commented the |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e89c28521a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| exit 0 | ||
| fi | ||
| npm dist-tag add @celo/contracts@$RELEASE_VERSION $COMMIT_HASH | ||
| # npm dist-tag add @celo/contracts@$RELEASE_VERSION $COMMIT_HASH |
There was a problem hiding this comment.
In non-dry-run releases (RELEASE_VERSION set), this line is now commented out, so the workflow no longer creates the $COMMIT_HASH dist-tag alias after publishing. That silently removes the commit-to-package traceability behavior this job previously provided (the same change appears in both publish steps), even though the workflow still computes and logs commit-hash tagging.
Useful? React with 👍 / 👎.
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on April 11. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a8b4abd4d7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| node-version: '18.x' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| #scope: '@celo' | ||
| node-version: '20.x' |
There was a problem hiding this comment.
This job still runs yarn build --include-dependencies, which reaches packages/protocol's build script and shells out to truffle compile in packages/protocol/scripts/build.ts. The repo is pinned to truffle@5.9.0 (packages/protocol/package.json), and Truffle only added Node 20 support in later releases, so bumping this runner from 18.x to 20.x can break the compile step before either package is published. That would block every contracts/abis release until Truffle is upgraded or the workflow stays on Node 18.
Useful? React with 👍 / 👎.
martinvol
changed the base branch from
release/core-contracts/16
to
release/core-contracts/17
1 participant
Publish contracts abi OIDC
Note
Medium Risk
Changes the NPM release workflow authentication path (removing token-based publishing in favor of OIDC) and bumps the Node/npm toolchain, which could break or alter package publishing if the runner or npm configuration is incompatible.
Overview
Updates the
publish-contracts-abi-releaseGitHub Actions workflow to publish@celo/contractsand@celo/abisvia OIDC trusted publishing instead of injecting anNPM_TOKENfrom Akeyless.The job now runs on Node 20 and explicitly upgrades to
npm@11.5.1beforenpm publish, removingNODE_AUTH_TOKENusage from the publish steps while keeping the existing build/validation and dist-tagging behavior.Written by Cursor Bugbot for commit d176e1b. This will update automatically on new commits. Configure here.