Skip to content

ci(release): adopt npm staged publishing via OIDC#87

Merged
Mikola Lysenko (mikolalysenko) merged 1 commit into
mainfrom
ci/npm-staged-publishing
May 27, 2026
Merged

ci(release): adopt npm staged publishing via OIDC#87
Mikola Lysenko (mikolalysenko) merged 1 commit into
mainfrom
ci/npm-staged-publishing

Conversation

@mikolalysenko
Copy link
Copy Markdown
Collaborator

@mikolalysenko Mikola Lysenko (mikolalysenko) commented May 27, 2026

Summary

  • Switch npm-publish to npm stage publish so releases go through npm's staging queue and require a 2FA-gated human approval before becoming installable.
  • Bump actions/setup-node to v6.4.0 with package-manager-cache: false (kills the always-auth deprecation warning from v4).
  • Drop --provenance — OIDC trusted publishing emits provenance automatically.
  • Add a step that writes per-package review links and an org-dashboard URL to the workflow run's step summary, plus a ::notice:: pointing maintainers straight at the staged-packages dashboard.

Why

The previous release failed with 403 OIDC permission denied for this action because npm's trusted-publisher rules (effective 2026-05-20) require the allowed-action checkbox to be explicit, and direct npm publish from CI is no longer the recommended path for trusted-publisher-driven workflows. Staged publishing pairs with trusted publishing to give "proof of presence" on every release — a stolen OIDC token cannot ship a malicious version without a maintainer's 2FA approval.

Required manual setup (one-time, per package)

For each of the 15 packages, visit https://www.npmjs.com/package/@socketsecurity/<pkg>/access and configure a Trusted Publisher:

  • Publisher: GitHub Actions
  • Organization: SocketDev
  • Repository: socket-patch
  • Workflow filename: release.yml
  • Environment: (blank)
  • Allowed actions: ✅ npm publish andnpm stage publish

Packages: socket-patch, socket-patch-android-arm64, socket-patch-darwin-{arm64,x64}, socket-patch-linux-{arm,arm64,ia32,x64}-{gnu,musl}, socket-patch-win32-{arm64,ia32,x64}.

Without this, the workflow will still 403.

Maintainer approval flow (per release)

After the workflow finishes, the run page's step summary lists every staged version with its review URL. Approve platform packages first (so optionalDependencies resolution sees binaries when the main package goes live), then the main @socketsecurity/socket-patch package. Two paths:

  • Web: click each link → Approve (2FA prompt inline).
  • CLI: npm stage list then npm stage approve <stage-id> per package (requires npm@11.15.0+ locally + 2FA device).

npm stage approve cannot use OIDC tokens by design, so this step is necessarily a human + 2FA action.

Cleanup follow-up

The previous failing run showed NODE_AUTH_TOKEN: XXXXX-... getting auto-injected from an org/repo secret of that name. With OIDC it's unused (npm 11.15.0+ prefers OIDC env vars over _authToken), but the secret should eventually be deleted to remove the fallback path.

Test plan

  • Configure trusted publishers on all 15 packages on npmjs.com (manual prerequisite).
  • Bump Cargo.toml to a new patch version + add CHANGELOG.md entry.
  • Trigger Release workflow with dry-run: false.
  • Confirm npm-publish job succeeds with no always-auth warning and no 403.
  • Confirm the run's step summary lists 15 packages with review URLs.
  • Approve platform packages, then the main package; verify npm install @socketsecurity/socket-patch@<new-version> resolves with the right binary and shows "Built and signed on GitHub Actions" provenance in the UI.

🤖 Generated with Claude Code

@mikolalysenko @claude
ci(release): adopt npm staged publishing via OIDC
df3dd27 
Switches the npm-publish job to `npm stage publish` so the GitHub
Actions workflow uploads tarballs to npm's staging queue. A maintainer
then approves each staged version with 2FA from npmjs.com or the npm
CLI before it becomes installable.

The previous direct-publish flow was failing with `OIDC permission
denied for this action` against npm's post-2026-05-20 trusted-publisher
rules, which require the allowed-action checkbox(es) to be explicit.
Each of the 15 packages needs a trusted publisher configured on
npmjs.com (SocketDev/socket-patch → release.yml) with both `npm publish`
and `npm stage publish` allowed; the workflow uses stage-publish for
every release.

Workflow changes:
- Bump actions/setup-node to v6.4.0 + package-manager-cache: false
  (eliminates the always-auth deprecation warning emitted by v4).
- Replace `npm publish --provenance --access public` with
  `npm stage publish --access public`. OIDC trusted publishing emits
  provenance automatically, so --provenance is now redundant.
- Collect successfully staged package names and write a step summary
  with org-dashboard and per-package review links, plus a ::notice::
  pointing at the staged-packages dashboard, so maintainers can click
  straight from the workflow run page into the approval UI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mikolalysenko Mikola Lysenko (mikolalysenko) merged commit cfa554e into main May 27, 2026
43 checks passed
@mikolalysenko Mikola Lysenko (mikolalysenko) deleted the ci/npm-staged-publishing branch May 27, 2026 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Wenxin-Jiang Wenxin Jiang (Wenxin-Jiang) Wenxin-Jiang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mikolalysenko @Wenxin-Jiang