Enable provenance and improve npm publish security#26
Merged
Conversation
Add id-token: write permission and --provenance --access public flags needed for npm trusted publisher authentication via GitHub Actions OIDC. https://claude.ai/code/session_01DwC5irUcgWuxsW2iRH5APK
- Upgrade Node to 24.x (OIDC trusted publishing requires npm >= 11.5.1) - Add npm install -g npm@latest to ensure latest npm with OIDC support - Remove NODE_AUTH_TOKEN secret (not needed with trusted publishers) - Add id-token: write permission for OIDC authentication - Add --provenance --access public flags for trusted publishing https://claude.ai/code/session_01DwC5irUcgWuxsW2iRH5APK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the npm publishing workflow by enabling provenance attestation and improving security posture through explicit permission declarations.
Key Changes
permissionsblock at workflow level withcontents: readandid-token: writepermissionspermissionsblock to the build job with the same permissions--provenanceflag for supply chain security attestation--access publicflag to ensure the package is published as publicImplementation Details
The changes implement OIDC (OpenID Connect) token-based authentication for npm publishing, which is more secure than token-based authentication. The
id-token: writepermission is required to generate the OIDC token that npm can verify, whilecontents: readallows the workflow to access the repository contents. The--provenanceflag enables npm to create a signed provenance statement that can be verified by consumers of the package.https://claude.ai/code/session_01DwC5irUcgWuxsW2iRH5APK