Skip to content

fix(ci): create npmrc before changesets to enable OIDC #673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GarthDB merged 3 commits into from
Jan 22, 2026
Merged

fix(ci): create npmrc before changesets to enable OIDC #673

GarthDB merged 3 commits into from
Jan 22, 2026

Conversation

@GarthDB
Copy link
Member

@GarthDB GarthDB commented Jan 22, 2026

Problem

PR #672 attempted to use skipNpmAuth: true but this parameter doesn't exist in changesets/action@v1. The workflow failed with:

Unexpected input(s) 'skipNpmAuth', valid inputs are ['publish', 'version', 'cwd', 'commit', 'title', 'setupGitUser', 'createGithubReleases', 'commitMode', 'branch']

Root Cause

The changesets/action@v1 creates its own .npmrc file when it doesn't find one, which expects an NPM_TOKEN. This blocks npm CLI from using OIDC authentication.

Solution

Create ~/.npmrc before the changesets action runs, configured with the registry and NPM_TOKEN placeholder. This allows npm CLI (11.5.1+) to:

  1. Find an existing .npmrc (so changesets doesn't create one)
  2. Auto-detect the OIDC environment (with id-token: write permission)
  3. Use trusted publishers for authentication

Changes

- name: Setup npm for OIDC authentication
  run: |
    cat > ~/.npmrc << 'EOF'
    registry=https://registry.npmjs.org/
    //registry.npmjs.org/:_authToken=${NPM_TOKEN}
    EOF

How OIDC Works

With trusted publishers configured on npmjs.com and id-token: write permission:

  1. npm CLI detects GitHub Actions OIDC environment
  2. Exchanges OIDC ID token for npm registry token automatically
  3. Uses that token for publish (no secrets needed)

Verification

All 8 packages already have trusted publishers configured correctly (verified via screenshots).

Testing

Merging this PR will trigger the release workflow, which should successfully publish:

  • @adobe/design-system-registry@1.1.0
  • @adobe/spectrum-tokens@14.1.0
  • @adobe/token-diff-generator@2.5.3
  • @adobe/spectrum-design-data-mcp@1.0.13

Related

@GarthDB
fix(ci): configure changesets to skip npm auth for OIDC
a7231dc 
Add skipNpmAuth flag to changesets action to prevent it from
creating token-based .npmrc configuration. This allows npm CLI
(11.5.1+) to auto-detect OIDC environment and use trusted publishers.

The changesets action was creating an .npmrc expecting NPM_TOKEN,
which blocked npm's automatic OIDC detection.
@GarthDB
fix(ci): create npmrc before changesets to enable OIDC
b5ed45f 
- Remove invalid skipNpmAuth parameter
- Create ~/.npmrc before changesets action runs
- Configure registry with NPM_TOKEN placeholder for OIDC
- npm CLI (11.5.1+) will auto-detect OIDC environment
@changeset-bot
Copy link

changeset-bot bot commented Jan 22, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 7fbbffa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@GarthDB
Copy link
Member Author

GarthDB commented Jan 22, 2026

Run report for 7fbbffa6

Total time: 7.1ms | Comparison time: 0s | Estimated loss: 7.1ms (100.0% slower)

Action Time Status Info
🟩 SyncWorkspace 7ms Passed
Touched files
.github/workflows/release.yml

@GarthDB GarthDB merged commit 2846a27 into main Jan 22, 2026
2 checks passed
@GarthDB GarthDB deleted the fix/oidc-npm-config-v2 branch January 22, 2026 22:58
This was referenced Jan 22, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GarthDB