Configure CI for NPM OIDC Tokens #1714
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
It's likely that we will need to update the version of semantic-release we are using to either the latest or to one after which they added support for these OIDC tokens, I wasn't able to figure out the exact version. https://github.com/pelias/ci-tools/blob/master/semantic-release.sh [edit] It seems to be fairly modern semantic-release/npm#958 |
orangejulius
approved these changes
Dec 17, 2025
This was referenced Dec 18, 2025
missinglink
force-pushed
the
npm-oidc-publishing
branch
from
5ffcd03 to
43fcc5d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Responding to the email "Classic npm tokens stop working December 9th" this PR migrates our classic tokens to 'OIDC' tokens.
There are two options for migration:
Granular Access Tokens
These are fairly similar to the classic tokens but have a maximum lifespan of 90 days, this sounds like an arduous chore.
OIDC Trusted Pubishing
https://docs.npmjs.com/trusted-publishers
This is only available for Github/Gitlab but lets you define the repo and workflow file that has permissions to publish.
What's requires are this change to every affected repo, plus going through the
npmmodules manually by an admin at a url such as https://www.npmjs.com/package/pelias-api/access and configuring them.The configuration looks like this: