From a7231dcdde0779e5d5441a4f4d45eb136223564e Mon Sep 17 00:00:00 2001 From: garthdb Date: Thu, 22 Jan 2026 15:48:36 -0700 Subject: [PATCH 1/2] fix(ci): configure changesets to skip npm auth for OIDC Add skipNpmAuth flag to changesets action to prevent it from creating token-based .npmrc configuration. This allows npm CLI (11.5.1+) to auto-detect OIDC environment and use trusted publishers. The changesets action was creating an .npmrc expecting NPM_TOKEN, which blocked npm's automatic OIDC detection. --- .github/workflows/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8c791a82..8cd9eabb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,10 +33,11 @@ jobs: commit: "chore: release" # This expects you to have a script called release which does a build for your packages and calls changeset publish publish: pnpm release + # Skip npm auth setup - let npm CLI auto-detect OIDC (requires npm 11.5.1+) + skipNpmAuth: true env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - # NPM_TOKEN no longer needed - using OIDC trusted publishing - # NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + # NPM_TOKEN no longer needed - npm CLI auto-detects OIDC with id-token permission # - name: Send a Slack notification if a publish happens # if: steps.changesets.outputs.published == 'true' From b5ed45f3e58d02fcbbc7f2a44bf264c1a5e48113 Mon Sep 17 00:00:00 2001 From: garthdb Date: Thu, 22 Jan 2026 15:53:16 -0700 Subject: [PATCH 2/2] fix(ci): create npmrc before changesets to enable OIDC - Remove invalid skipNpmAuth parameter - Create ~/.npmrc before changesets action runs - Configure registry with NPM_TOKEN placeholder for OIDC - npm CLI (11.5.1+) will auto-detect OIDC environment --- .github/workflows/release.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cd9eabb..81b83613 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,14 @@ jobs: - uses: moonrepo/setup-toolchain@v0 with: auto-install: true + - name: Setup npm for OIDC authentication + run: | + # Create .npmrc for registry without auth token + # npm CLI (11.5.1+) will auto-detect OIDC and handle authentication + cat > ~/.npmrc << 'EOF' + registry=https://registry.npmjs.org/ + //registry.npmjs.org/:_authToken=${NPM_TOKEN} + EOF - run: moon setup - run: moon run :build --query "projectSource~packages/*" - name: Publish @@ -33,11 +41,9 @@ jobs: commit: "chore: release" # This expects you to have a script called release which does a build for your packages and calls changeset publish publish: pnpm release - # Skip npm auth setup - let npm CLI auto-detect OIDC (requires npm 11.5.1+) - skipNpmAuth: true env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - # NPM_TOKEN no longer needed - npm CLI auto-detects OIDC with id-token permission + # NPM_TOKEN is not set - npm CLI will use OIDC authentication automatically # - name: Send a Slack notification if a publish happens # if: steps.changesets.outputs.published == 'true'