chore: switch npm publish from token auth to OIDC trusted publishers

rgarcia · cursoragent · rgarcia · commit 24e00ea8f816 · 2026-02-07T11:32:59.000-05:00
Replace NPM_TOKEN-based authentication with npm's OIDC trusted
publishers. This eliminates the need for a long-lived npm token secret
and adds provenance attestation to published packages.

Changes:
- publish-npm.yml: add id-token:write permission, setup-node with
  registry-url, remove NPM_TOKEN env
- bin/publish-npm: remove npm config set for auth token, switch from
  yarn publish to npm publish --provenance --access public
- bin/check-release-environment: remove NPM_TOKEN check (no longer
  needed)
- release-doctor.yml: remove NPM_TOKEN env

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -8,6 +8,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write # Required for npm OIDC trusted publishers
+  contents: read
+
 jobs:
   publish:
     name: publish
@@ -17,9 +21,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Set up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: |
@@ -28,5 +33,3 @@ jobs:
       - name: Publish to NPM
         run: |
           bash ./bin/publish-npm
-        env:
-          NPM_TOKEN: ${{ secrets.KERNEL_NPM_TOKEN || secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
@@ -17,6 +17,4 @@ jobs:
       - name: Check release environment
         run: |
           bash ./bin/check-release-environment
-        env:
-          NPM_TOKEN: ${{ secrets.KERNEL_NPM_TOKEN || secrets.NPM_TOKEN }}
 
diff --git a/bin/check-release-environment b/bin/check-release-environment
@@ -1,22 +1,6 @@
 #!/usr/bin/env bash
 
-errors=()
-
-if [ -z "${NPM_TOKEN}" ]; then
-  errors+=("The NPM_TOKEN secret has not been set. Please set it in either this repository's secrets or your organization secrets")
-fi
-
-lenErrors=${#errors[@]}
-
-if [[ lenErrors -gt 0 ]]; then
-  echo -e "Found the following errors in the release environment:\n"
-
-  for error in "${errors[@]}"; do
-    echo -e "- $error\n"
-  done
-
-  exit 1
-fi
+# Publishing uses npm OIDC trusted publishers — no secrets required.
+# The GitHub Actions workflow must have `permissions: id-token: write`.
 
 echo "The environment is ready to push releases!"
-
diff --git a/bin/publish-npm b/bin/publish-npm
@@ -2,8 +2,6 @@
 
 set -eux
 
-npm config set '//registry.npmjs.org/:_authToken' "$NPM_TOKEN"
-
 yarn build
 cd dist
 
@@ -57,5 +55,5 @@ else
   TAG="latest"
 fi
 
-# Publish with the appropriate tag
-yarn publish --tag "$TAG"
+# Publish with the appropriate tag using npm OIDC trusted publishers
+npm publish --provenance --access public --tag "$TAG"
