Skip to content

feat: add npm trusted publishing with OIDC authentication #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ls-ramos wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: add npm trusted publishing with OIDC authentication #71

ls-ramos wants to merge 4 commits into from

Conversation

@ls-ramos
Copy link

@ls-ramos ls-ramos commented Feb 2, 2026

Success criteria

  • Packages can be published to npm using OIDC authentication (trusted publishing)
  • No long-lived npm tokens are required in GitHub secrets
  • Provenance attestations are automatically generated for published packages
  • New publish workflow triggers on push to main branch

How to test

  1. Configure trusted publisher on npmjs.com for this package:
    • Organization: Cognigy
    • Repository: SocketClient
    • Workflow filename: publish.yml
  2. Merge this PR and push to main
  3. Verify the package is published successfully without npm tokens

Security

  • Possible injection vector
  • Authentication/Access controls touched
  • Sensitive Data could be exposed
  • XSS
  • Logging/Monitoring touched
  • Exchanges data with external systems
  • No security implications

Additional considerations

  • This PR might have performance implications

Documentation Considerations

These are hints for the documentation team to help write the docs.

Copilot AI review requested due to automatic review settings February 2, 2026 17:00
@graymalkin77
Copy link

graymalkin77 commented Feb 2, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces automated npm package publishing using OIDC-based trusted publishing, eliminating the need for long-lived npm authentication tokens stored in GitHub secrets.

Changes:

  • Added a new GitHub Actions workflow that publishes to npm on pushes to the main branch
  • Configured OIDC authentication for secure, token-free publishing
  • Enabled automatic provenance attestation generation for published packages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ls-ramos ls-ramos requested a review from a team February 9, 2026 11:35
vj-venkatesan
vj-venkatesan reviewed Feb 9, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings February 9, 2026 13:51
Copilot AI reviewed Feb 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ls-ramos ls-ramos requested a review from a team February 10, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vj-venkatesan vj-venkatesan vj-venkatesan approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ls-ramos @graymalkin77 @vj-venkatesan