Migrate to npm Trusted Publisher with pinned npm version

[Copilot]

Replaces token-based npm authentication with OIDC Trusted Publisher. Pins npm to ~10.9.0 to ensure --provenance flag compatibility (requires npm >= 9.5.0).

Changes

Workflow (.github/workflows/publish_npm.yml):

• Add OIDC permissions (id-token: write, contents: read)
• Configure registry-url in actions/setup-node@v4
• Add npm pinning step: npm install -g npm@~10.9.0
• Remove NPM_TOKEN secret

Publish script (.bin/publish_npm):

• Remove manual token configuration
• Add --provenance flag to npm publish

npm Version Strategy

Using ~10.9.0 (tilde range):

• Allows patch updates (10.9.x) for security fixes
• Blocks minor updates (10.10.x+) to prevent breaking changes
• Guarantees --provenance support across all runs

Authentication Flow

- npm config set '//registry.npmjs.org/:_authToken' "$NPM_TOKEN"
- npm publish --access public --tag "$TAG"
+ # registry-url in setup-node configures OIDC auth
+ npm publish --access public --tag "$TAG" --provenance

The npm registry has been pre-configured to trust this repository and workflow file for publishing.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/setup-node/contents/action.yml
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

I have this repo which has a workflow to publish from github to npm but now I want to switch away from tokens to the new "Trusted Publisher" system that does not require tokens. I have already configured the npm to trust this repo and "publish_npm.yml" file. Plan the changes required to switch to trusted publishing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[coderabbitai]

Walkthrough

The changes modify the NPM package publishing pipeline by transitioning the authentication mechanism and adding provenance support. The workflow now grants specific permissions including id-token write access, upgrades the Node action to v4 with an explicit registry URL configuration, and removes the NPM token environment variable. The publish script removes the npm config authentication step and adds the --provenance flag to the publish command. These modifications refactor how credentials are handled during the package publication process.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: migrating npm publishing to use OIDC-based Trusted Publisher authentication instead of tokens.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the authentication switch from NPM_TOKEN to Trusted Publisher with clear before/after examples and implementation details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/update-publishing-to-trusted-system

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jimaek]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish_npm.yml:
- Around line 23-26: The workflow uses actions/setup-node@v4 with node-version:
'18' but relies on npm's --provenance flag which requires npm >= 9.5.0; either
pin npm to a known compatible version (e.g., run npm install -g npm@10 after
setup-node) or remove the --provenance option from the npm publish step. Locate
the publish step that invokes npm publish --provenance and update it to first
install a pinned npm (or change the publish command to omit --provenance) so the
workflow behavior is deterministic.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

npm publish --provenance minimum version requirement

💡 Result:

npm publish --provenance requires npm CLI v9.5.0 or later (older npm versions don’t support npm provenance). [1]

If you’re using Trusted Publishing (OIDC) instead of tokens, that feature requires npm CLI v11.5.1+, and provenance attestations are generated automatically (so you typically don’t need --provenance). [2]

---

🌐 Web query:

GitHub Actions ubuntu-latest Node 18 default npm version

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🌐 Web query:

Node.js 18 default npm version bundled

💡 Result:

It depends on the exact Node.js 18.x.y release (the bundled npm version changes across minors/patches):

• Node.js 18.20.8 bundles npm 10.8.2. [1]
• The initial Node.js 18.0.0 release bundled npm 8.6.0. [2]
• Example mid-line: Node.js 18.18.0 bundled npm 9.8.1. [3]

To confirm what you have installed locally: node -p "process.versions.npm".

---

🌐 Web query:

GitHub Actions ubuntu-latest runner Node 18 npm version

💡 Result:

Web search failed: Server error: no LLM provider could handle the message

---

🌐 Web query:

actions/setup-node v4 node-version 18 resolves which version

💡 Result:

actions/setup-node@v4 treats node-version: 18 as a SemVer range meaning “latest available 18.x.y that satisfies 18” (not a fixed patch release). It will:

1. Prefer a matching Node 18 already in the runner tool cache (SemVer match), and use the best match it finds.
2. If not found, download a Node 18 build (preferably from actions/node-versions, otherwise from the official Node.js distributions).
   So the exact 18.x.y you get can vary over time and by runner image contents unless you pin it. [1]

To know what you actually got in a run, add:

- run: node -v

If you need a deterministic version, set an explicit patch (e.g. 18.20.5) instead of 18. [1][2]

Sources: [1] (setup-node README / v4 docs), [2] (GitHub Actions “Building and testing Node.js” examples using 18.x with `setup-node@v4).

---

🌐 Web query:

GitHub Actions ubuntu-latest Node.js 18 latest version 2026

💡 Result:

• runs-on: ubuntu-latest (GitHub Actions) in 2026: it maps to Ubuntu 24.04 (the migration to make 24.04 the ubuntu-latest default completed by Jan 17, 2025). [1]
• “Node.js 18 latest version” (as of 2026): Node.js 18 is end-of-life, so the last (and thus “latest”) 18.x release remains v18.20.8 (2025-03-27). [2]
• If you use actions/setup-node with node-version: 18, it will resolve a matching 18.x version (from cache / node-versions, otherwise Node.js dist). [3]

Sources: [1] GitHub actions/runner-images announcement on ubuntu-latest → 24.04 rollout, [2] official Node.js v18.20.8 release post, [3] actions/setup-node documentation.

---

Consider adding an explicit npm version or removing the --provenance flag if not required.

The npm --provenance feature requires npm v9.5.0+, and while recent Node 18 releases (18.18.0+) bundle compatible npm versions, using actions/setup-node@v4 with node-version: '18' does not guarantee a specific npm version—it resolves to the best available match in the runner's cache, which can vary. If your publish workflow relies on npm publish --provenance, either explicitly pin npm (e.g., npm install -g npm@10) or clarify whether provenance attestation is actually needed (GitHub's Trusted Publishing / OIDC may handle this automatically without the flag).

🤖 Prompt for AI Agents

In @.github/workflows/publish_npm.yml around lines 23 - 26, The workflow uses
actions/setup-node@v4 with node-version: '18' but relies on npm's --provenance
flag which requires npm >= 9.5.0; either pin npm to a known compatible version
(e.g., run npm install -g npm@10 after setup-node) or remove the --provenance
option from the npm publish step. Locate the publish step that invokes npm
publish --provenance and update it to first install a pinned npm (or change the
publish command to omit --provenance) so the workflow behavior is deterministic.