Skip to content

fix(release): enable npm trusted publishing (OIDC)#236

Merged
cipolleschi merged 2 commits into
0.87-stablefrom
fix/release-npm-token-0.87
Jul 8, 2026
Merged

fix(release): enable npm trusted publishing (OIDC)#236
cipolleschi merged 2 commits into
0.87-stablefrom
fix/release-npm-token-0.87

Conversation

@cipolleschi

@cipolleschi cipolleschi commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

The Release workflow failed to publish the template with an npm E404 (see run 28942433881).

The 404 was misleading — it's what npm returns for an unauthenticated publish. The root cause: now that we use trusted publishing, the workflow needs to perform an OIDC token exchange, but it never did. The job was missing the id-token: write permission, so GitHub never minted an OIDC token and the publish went out with no credentials.

Changes

  • Add permissions: id-token: write (OIDC token exchange for trusted publishing) and contents: write (so the bump commit & tag can still be pushed — once a permissions block is declared, unlisted scopes default to none).
  • Drop the now-obsolete NODE_AUTH_TOKEN env from the publish step.

(node-version: lts/* already bundles npm >= 11.5.1, which is required for trusted publishing, so no npm upgrade step is needed.)

Follow-ups to verify (outside this repo)

  • npm trusted publisher config must match: org react-native-community, repo template, workflow release.yaml, environment npm-publish.
  • GitHub environment npm-publish deployment branch rules must permit *-stable branches.

Note: the bump commit/tag from the failed run already landed (1e63335), so a re-run will take the "No changes… Continue to retry" path straight to publishing.

The release workflow failed to publish with an npm E404 because it never performed an OIDC token exchange: the job was missing the 'id-token: write' permission, so no trusted-publishing token was minted and the unauthenticated publish was rejected.

- Add id-token: write (OIDC) and contents: write (push commit/tag) permissions
- Upgrade npm to latest (trusted publishing requires npm >= 11.5.1)
- Drop the obsolete NODE_AUTH_TOKEN env now that we use trusted publishing
@cipolleschi cipolleschi requested review from cortinico and robhogan July 8, 2026 12:46
Comment thread .github/workflows/release.yaml Outdated
with:
node-version: 'lts/*'
registry-url: 'https://registry.npmjs.org'
- name: Ensure npm supports trusted publishing

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't needed - it's already Node 24 + npm > 11.5

Comment thread .github/workflows/release.yaml
@cipolleschi cipolleschi merged commit e7fd67a into 0.87-stable Jul 8, 2026
1 check passed
@cipolleschi cipolleschi deleted the fix/release-npm-token-0.87 branch July 8, 2026 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants