Skip to content

ci: migrate to OIDC Trusted Publishing #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: release
Choose a base branch
from
Open

ci: migrate to OIDC Trusted Publishing #13

wants to merge 11 commits into from
+1,126 −590

Conversation

@tanjeemh
Copy link

@tanjeemh tanjeemh commented Nov 13, 2025

What problem are we solving?

  • Update node version to 22.x to resolve version mismatch error
  • added id-token: write permissions to allow for OIDC auth
  • use environment: publish to enforce npmjs environment release security
  • update semantic-release/npm to v13.1.1 to comply with OIDC Trusted Publishing

Why solve it this way?
As classic npm tokens are being revoked as per npmjs notices, this PR is part of the overarching epic to migrate to using OIDC Trusted Publishing.
The addition of environments enforces custom branch deployment, ensuring that a random person can't just initiate a release.

The release branch is used for releases, hence why the GitHub Environment was configured such that only pushes to this branch will trigger the publish environment. see: PR in /infra

Ticket: DX-2083

dependabot bot and others added 11 commits April 30, 2024 22:16
@dependabot
chore(deps): bump tar from 6.1.13 to 6.2.1
9fdc829 
Bumps [tar](https://github.com/isaacs/node-tar) from 6.1.13 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.1.13...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
chore(deps): bump ip from 2.0.0 to 2.0.1
7a212af 
Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1.
- [Commits](indutny/node-ip@v2.0.0...v2.0.1)

---
updated-dependencies:
- dependency-name: ip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@andrew-scott-fischer
fix: change scope from @bitgo to @bitgo-forks
0e8433a
@ericcrosson-bitgo
Merge pull request #9 from BitGo/dependabot/npm_and_yarn/ip-2.0.1
f6fbbff 
chore(deps): bump ip from 2.0.0 to 2.0.1
@ericcrosson-bitgo
Merge pull request #8 from BitGo/dependabot/npm_and_yarn/tar-6.2.1
c06a2e6 
chore(deps): bump tar from 6.1.13 to 6.2.1
@ericcrosson-bitgo
Merge pull request #10 from BitGo/change-npm-scope
7853a2f 
fix: change scope from `@bitgo` to `@bitgo-forks`
@tanjeemh
ci: migrate to OIDC trusted publishing
251fbaa 
Ticket: DX-2083
@tanjeemh
chore: remove --frozen-lockfile
9297048 
Ticket: DX-2083
@tanjeemh
ci: update node-version
837b8ee 
Ticket: DX-2083
@tanjeemh
ci: modify pre-release to use OIDC
d67e76e 
Ticket: DX-2083
@tanjeemh
Merge pull request #12 from BitGo/DX-2083-trusted-publishing
5d1f0e2 
ci: migrate to OIDC trusted publishing
@tanjeemh tanjeemh closed this Nov 13, 2025
@tanjeemh tanjeemh reopened this Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tanjeemh @andrew-scott-fischer @ericcrosson-bitgo