Skip to content

ci: switch npm publish to OIDC trusted publishing#1199

Merged
cliffhall merged 1 commit intomainfrom
paulc/npm-trusted-publishing
Apr 14, 2026
Merged

ci: switch npm publish to OIDC trusted publishing#1199
cliffhall merged 1 commit intomainfrom
paulc/npm-trusted-publishing

Conversation

@pcarleton
Copy link
Copy Markdown
Member

@pcarleton pcarleton commented Apr 14, 2026
edited
Loading

Summary

Replaces the NPM_TOKEN secret with npm's OIDC trusted publishing for the publish job.

  • Installs npm@^11.5.1 before publish (Node 22's bundled npm 10.x doesn't support OIDC)
  • Removes NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  • Sets NPM_CONFIG_PROVENANCE: "true" so all 4 packages get provenance attestations
  • id-token: write and registry-url were already present, so no other changes needed

The GitHub environment has been renamed Releaserelease (delete + recreate via API with identical required-reviewers) so the env name, workflow yaml, and npm trusted-publisher config all match exactly. npm matches the OIDC environment claim case-sensitively against the yaml value.

Required manual setup before merge

On npmjs.com, configure a GitHub Actions trusted publisher for each package with:

Field Value
Organization modelcontextprotocol
Repository inspector
Workflow filename main.yml
Environment release

Packages to configure:

  • @modelcontextprotocol/inspector
  • @modelcontextprotocol/inspector-client
  • @modelcontextprotocol/inspector-server
  • @modelcontextprotocol/inspector-cli

Test plan

  • Trusted publisher configured on npmjs.com for all 4 packages
  • Cut a release and confirm publish job succeeds without NPM_TOKEN
  • Verify provenance badge appears on the published packages
  • Delete the repo-level NPM_TOKEN secret if one exists (env-level secret was already removed with the old environment)

@pcarleton
ci: switch npm publish to OIDC trusted publishing
68d45fc 
- Upgrade npm to ^11.5.1 in the publish job (Node 22 bundles npm 10.x,
  which lacks OIDC trusted publishing support)
- Drop NODE_AUTH_TOKEN / NPM_TOKEN secret in favor of OIDC
- Enable provenance attestation via NPM_CONFIG_PROVENANCE

The publish job already had id-token: write and registry-url configured.
@pcarleton pcarleton requested a review from cliffhall April 14, 2026 10:55
cliffhall
cliffhall approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@cliffhall cliffhall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@cliffhall cliffhall merged commit 948c4fa into main Apr 14, 2026
8 checks passed
@cliffhall cliffhall deleted the paulc/npm-trusted-publishing branch April 14, 2026 14:14
@cliffhall cliffhall mentioned this pull request Apr 14, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cliffhall cliffhall cliffhall approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pcarleton @cliffhall