Add OIDC permissions for npm trusted publishers to GitHub Actions workflow

[Copilot]

Overview

This PR implements support for npm's trusted publishers feature using OIDC (OpenID Connect) authentication in the GitHub Actions workflow, following the documentation at https://docs.npmjs.com/trusted-publishers.

Changes

Updated the publish_package job in .github/workflows/build.yml to include the necessary configuration for OIDC-based npm publishing:

1. Added OIDC Permissions

permissions:
  id-token: write # Required for OIDC
  contents: read

The id-token: write permission is critical as it allows GitHub Actions to generate OIDC tokens that can be used for secure authentication with npm without requiring long-lived secrets.

2. Upgraded GitHub Actions

• actions/checkout: Updated from v3 to v4 for better compatibility and security
• actions/setup-node: Updated from v1 to v4 and added registry-url: 'https://registry.npmjs.org' parameter to configure the npm registry for OIDC authentication

3. Ensured npm 11.5.1+

Added a step to update npm to the latest version:

- name: Update npm
  run: npm install -g npm@latest

This ensures npm 11.5.1 or later is installed, which is required for OIDC support.

Benefits

• Enhanced Security: OIDC tokens are short-lived and scoped, reducing the risk associated with long-lived tokens
• Simplified Token Management: Reduces the need to manually manage and rotate npm tokens
• GitHub Native: Leverages GitHub's built-in OIDC provider for seamless integration

Backward Compatibility

The existing NPM_TOKEN environment variable is retained, ensuring the workflow continues to function with the current semantic-release setup while enabling future migration to OIDC-only authentication if desired.

Related Documentation

• npm Trusted Publishers Documentation
• GitHub OIDC Documentation

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• install.serverless.com
  • Triggering command: node ./postInstall.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

On build.yml, Following https://docs.npmjs.com/trusted-publishers do the following:

Add the required OIDC permissions to your workflow. Here's a complete example:

name: Publish Package

on:
  push:
    tags:
      - 'v*'

permissions:
  id-token: write  # Required for OIDC
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      # Ensure npm 11.5.1 or later is installed
      - name: Update npm
        run: npm install -g npm@latest
      - run: npm ci
      - run: npm run build --if-present
      - run: npm test
      - run: npm publish

The critical requirement is the id-token: write permission, which allows GitHub Actions to generate OIDC tokens. Learn more in GitHub's OIDC documentation.

Submit a PR

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[activescott]

Is the registry-url and npm update absolutely necessary? Doesn't setup-node keep npm up to date? Isn't the default registry URL registry.npmjs.org?