Skip to content

Fix OIDC setup for npm publish#102

Merged
SanthoshCharanBolt merged 3 commits into
mainfrom
SanthoshCharan/fix-OIDC-setup
Jul 6, 2026
Merged

Fix OIDC setup for npm publish#102
SanthoshCharanBolt merged 3 commits into
mainfrom
SanthoshCharan/fix-OIDC-setup

Conversation

@SanthoshCharanBolt

@SanthoshCharanBolt SanthoshCharanBolt commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Description

The release workflow published to npm using a static expired NPM_TOKEN secret, which have broken publishing. This PR switches to npm's OIDC-based trusted publishing: adds id-token: write permission, fixes the registry URL, drops the NODE_AUTH_TOKEN/NPM_TOKEN secret, and publishes with --provenance so the package is cryptographically linked back to this source and workflow run.

Verified by reading the final workflow diff against npm's trusted-publishing/OIDC requirements; no local run possible since publish only fires on a version bump to main.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

Human reviewer only: read the Security Impact Summary below, then check the box when satisfied.

  • I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

Removes the long-lived NPM_TOKEN secret from the publish step in favor of short-lived OIDC tokens, reducing the blast radius of a leaked static credential.

Reviewer choices: None.


Agent / CI checklist (for AI-assisted or stacked PRs)

  • Scope: diff is limited to this PR's purpose; no unrelated refactors
  • Peril: migrations are not mixed with application code; at most one migration per PR
  • Local verify: ran checks from verify-before-done for touched paths — N/A, this only changes a GitHub Actions workflow that runs on push to main; verified by inspection against npm's OIDC trusted-publishing requirements
  • Evidence: Description cites the actual diff and reasoning, not "should work"
  • Security review: human author checked the PCI security checkbox after reading the summary (agents must not check it)
  • Stacked PRs: N/A, not stacked on another branch

Test plan

  • Merge to main and confirm the release workflow runs and publishes without NPM_TOKEN
  • Verify the published package on npmjs.com shows a provenance/build attestation badge

@snyk-io

snyk-io Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the main release workflow to publish to npm using npm’s OIDC Trusted Publishing instead of a long-lived NPM_TOKEN, and adds provenance signing for published artifacts.

Changes:

  • Adds permissions: id-token: write so the workflow can request an OIDC token.
  • Removes the NODE_AUTH_TOKEN/secrets.NPM_TOKEN publish-time secret usage.
  • Publishes with npm publish --provenance to attach cryptographic provenance.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/main-release.yml Outdated
Comment thread .github/workflows/main-release.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/main-release.yml
@SanthoshCharanBolt SanthoshCharanBolt marked this pull request as ready for review July 6, 2026 10:36
@SanthoshCharanBolt SanthoshCharanBolt requested a review from a team as a code owner July 6, 2026 10:36
@SanthoshCharanBolt SanthoshCharanBolt merged commit c6ddf2a into main Jul 6, 2026
9 checks passed
@SanthoshCharanBolt SanthoshCharanBolt deleted the SanthoshCharan/fix-OIDC-setup branch July 6, 2026 10:40
SanthoshCharanBolt added a commit that referenced this pull request Jul 6, 2026
### Description

While verifying the OIDC/Trusted Publishing fix from #102, a test
publish landed `0.9.10` on npm from an untagged, off-`main` commit (see
#103, closed). `main`'s `package.json` is still at `0.9.9`.

Without this fix, the next release-triggering commit to `main` would run
`yarn release --ci`, compute the next version as `0.9.10` again (already
published), and fail — npm rejects republishing an existing version.

This bumps `main` to `0.9.10` so the next real release correctly
computes `0.9.11`+.

### Background on why `main` was broken

Versions `0.9.4`–`0.9.9` were bumped and tagged on `main` via `chore:
release` commits, but every one of those publishes failed with a 404
(`npm error 404 Not Found - PUT .../@BoltPay%2freact-native`), because
npm Trusted Publishing was never configured for this package. That's now
fixed:
- #102 corrected the workflow (`id-token: write`, correct registry URL,
OIDC-based auth, `--provenance`)
- A Trusted Publisher entry was added on npmjs.com for
`boltapp/bolt-react-native-sdk` + `main-release.yml`
- Verified working end-to-end via a throwaway branch/PR (#103, closed) —
publish succeeded with a signed provenance attestation

### Security Review

- [x] I have considered and reviewed security implications of this PR
and included the summary below.

#### Security Impact Summary

Version-number-only change; no application code or production behavior
affected.

**Reviewer choices:** None.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants