Skip to content

Migrate npm publishing to trusted publishing (OIDC) — kill NPM_TOKEN rotation #23

Description

@ElbertePlinio

Goal: stop npm publish tokens from expiring by migrating CI publishing to npm trusted publishing (OIDC). No stored token, nothing to rotate.

Context: NPM_TOKEN expiry email received 2026-07-09. npm granular write tokens are capped at 90 days and classic tokens are revoked, so rotation emails are permanent unless we go tokenless.

PR plan

  • PR 1 — pickforge-platform publish.yml → OIDC
    • Touches: .github/workflows/publish.yml (add id-token: write, drop NODE_AUTH_TOKEN)
    • Validation: next tag publish succeeds via OIDC
    • Link: pending
  • PR 2 — picklab release.yml → OIDC
    • Touches: .github/workflows/release.yml (add id-token: write, drop NODE_AUTH_TOKEN, Node 20 → 24 for npm ≥ 11.5.1)
    • Validation: next picklab release publishes via OIDC
    • Link: pending

Manual steps (npmjs.com, browser — Elberte)

Configure GitHub Actions trusted publisher on each package (Settings → Trusted Publisher):

  • @pickforge/auth — repo pickforge/pickforge-platform, workflow publish.yml
  • @pickforge/billing — same
  • @pickforge/brand — same
  • @pickforge/edge-shared — same
  • @pickforge/flags — same
  • @pickforge/sync — same
  • @pickforge/tauri-release — same
  • @pickforge/picklab — repo pickforge/picklab, workflow release.yml

Cleanup

  • Verify one real publish per repo via OIDC
  • Delete NPM_TOKEN secret on pickforge-platform
  • Delete NPM_TOKEN secret on picklab
  • Revoke leftover npm tokens on npmjs.com

Ordering note: merging the PRs is safe before the npmjs.com config (publish only runs on tags), but a tag pushed after merge and before trusted-publisher config will fail to publish. Do the browser steps first.

Current status: Planned
Next action: PR 1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions