Skip to content

fix(ci): configure changesets to skip npm auth for OIDC #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GarthDB merged 1 commit into from
Jan 22, 2026
Merged

fix(ci): configure changesets to skip npm auth for OIDC #672

GarthDB merged 1 commit into from
Jan 22, 2026

Conversation

@GarthDB
Copy link
Member

@GarthDB GarthDB commented Jan 22, 2026

Problem

PR #671 enabled OIDC trusted publishing and all 8 packages have been configured on npmjs.com, but the publish still failed with:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in

Root Cause

The changesets/action@v1 was creating an .npmrc file expecting the (now removed) NPM_TOKEN environment variable. This prevented npm CLI from auto-detecting the OIDC environment and using trusted publishers.

From the logs:

No user .npmrc file found, creating one

Solution

Added skipNpmAuth: true to the changesets action configuration. This prevents the action from creating token-based authentication, allowing npm CLI (11.5.1+) to automatically detect and use OIDC authentication.

How OIDC Works

With id-token: write permission and trusted publishers configured:

  1. npm CLI automatically detects GitHub Actions OIDC environment
  2. Exchanges the OIDC ID token for an npm registry token
  3. Uses that token for authentication (all automatic)

No NPM_TOKEN secret needed!

Verification

All 8 packages have trusted publishers configured:

  • ✅ @adobe/changeset-linter
  • ✅ @adobe/optimized-diff
  • ✅ @adobe/spectrum-component-api-schemas
  • ✅ @adobe/spectrum-component-diff-generator
  • ✅ @adobe/spectrum-design-data-mcp
  • ✅ @adobe/spectrum-diff-core
  • ✅ @adobe/spectrum-tokens
  • ✅ @adobe/token-diff-generator

Testing

This can be verified by:

  1. Merging this PR
  2. Re-running the failed release workflow
  3. Confirming packages publish successfully with OIDC auth

Related

@GarthDB
fix(ci): configure changesets to skip npm auth for OIDC
a7231dc 
Add skipNpmAuth flag to changesets action to prevent it from
creating token-based .npmrc configuration. This allows npm CLI
(11.5.1+) to auto-detect OIDC environment and use trusted publishers.

The changesets action was creating an .npmrc expecting NPM_TOKEN,
which blocked npm's automatic OIDC detection.
@changeset-bot
Copy link

changeset-bot bot commented Jan 22, 2026

⚠️ No Changeset found

Latest commit: a7231dc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@GarthDB
Copy link
Member Author

GarthDB commented Jan 22, 2026

Run report for a7231dcd

Total time: 7ms | Comparison time: 0s | Estimated loss: 7ms (100.0% slower)

Action Time Status Info
🟩 SyncWorkspace 6.9ms Passed
Touched files
.github/workflows/release.yml

@GarthDB GarthDB merged commit 4f003cb into main Jan 22, 2026
4 checks passed
@GarthDB GarthDB deleted the fix/oidc-npm-config branch January 22, 2026 22:50
@GarthDB GarthDB restored the fix/oidc-npm-config branch January 22, 2026 22:53
This was referenced Jan 22, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GarthDB