Skip to content

Migrate NPM publishing to OIDC trusted publishing#191

Merged
leoromanovsky merged 1 commit intomainfrom
worktree-npm-oidc-migration
Mar 3, 2026
Merged

Migrate NPM publishing to OIDC trusted publishing#191
leoromanovsky merged 1 commit intomainfrom
worktree-npm-oidc-migration

Conversation

@leoromanovsky
Copy link
Copy Markdown
Collaborator

@leoromanovsky leoromanovsky commented Mar 2, 2026

Motivation

NPM is deprecating classic access tokens (announcement). Our release workflow currently uses the ENV_NPM_TOKEN secret written to ~/.npmrc. We need to migrate to OIDC trusted publishing per the internal migration guide.

Changes

  • release.yaml: Remove ~/.npmrc token injection and NODE_AUTH_TOKEN env vars from all 3 publish steps. Add registry-url to setup-node for OIDC discovery.
  • Yarn 4.9.2 → 4.10.3: Bumped to meet the minimum version required for OIDC support.
  • docs/npm-oidc-migration.md: Full migration plan documenting manual pre/post steps.

Decisions

  • The workflow already had id-token: write and environment: production — no changes needed there.
  • Lerna ^9.0.3 already meets the >=9.0.0 requirement.
  • --provenance flag not added — npm trusted publishing handles attestation automatically.

Pre-merge manual steps (required)

Before merging, trusted publishers must be configured on npmjs.com for all 3 packages:

  • @datadog/flagging-core
  • @datadog/openfeature-browser
  • @datadog/openfeature-node-server

Settings → Trusted Publisher → GitHub Actions → org: DataDog, repo: openfeature-js-client, workflow: release.yaml, environment: production.

Post-merge manual steps

After a successful OIDC publish:

  1. Lock down packages: Settings → Publishing access → "Require 2FA and disallow tokens"
  2. Delete the old ENV_NPM_TOKEN from GitHub environment secrets
  3. Delete the old NPM token from the datadog NPM account

@leoromanovsky
Migrate NPM publishing from token auth to OIDC trusted publishing
4c993b9 
Classic NPM tokens are being deprecated. This switches the release
workflow to use GitHub Actions OIDC for authentication instead of
the ENV_NPM_TOKEN secret.

Changes:
- Remove ~/.npmrc token injection and NODE_AUTH_TOKEN env from all
  publish steps in release.yaml
- Add registry-url to setup-node for OIDC discovery
- Bump yarn from 4.9.2 to 4.10.3 (minimum for OIDC support)
- Add migration plan doc with manual pre/post steps
@leoromanovsky leoromanovsky marked this pull request as ready for review March 2, 2026 19:11
@leoromanovsky leoromanovsky requested a review from a team as a code owner March 2, 2026 19:11
@gh-worker-ownership-write-b05516 gh-worker-ownership-write-b05516 bot removed the request for review from yoannmoinet March 2, 2026 19:12
@leoromanovsky leoromanovsky merged commit c2ec5d8 into main Mar 3, 2026
4 checks passed
@leoromanovsky leoromanovsky deleted the worktree-npm-oidc-migration branch March 3, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greghuels greghuels greghuels approved these changes

@sameerank sameerank sameerank approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leoromanovsky @greghuels @sameerank