Skip to content

test(ci): verify OIDC environment variables are available in shell #687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GarthDB merged 1 commit into from
Jan 23, 2026
Merged

test(ci): verify OIDC environment variables are available in shell #687

GarthDB merged 1 commit into from
Jan 23, 2026

Conversation

@GarthDB
Copy link
Member

@GarthDB GarthDB commented Jan 23, 2026

Purpose

This PR adds a verification step to test if OIDC environment variables are actually available in the GitHub Actions shell environment.

Changes

  1. Add OIDC verification step that checks:

    • ACTIONS_ID_TOKEN_REQUEST_URL is set
    • ACTIONS_ID_TOKEN_REQUEST_TOKEN is set
    • npm version
    • No conflicting .npmrc files

  2. Separate publishing step that calls pnpm changeset publish directly

Why This Test?

We need to determine if the OIDC environment variables are:

  • ✅ Present in the shell environment (GitHub Actions should set them with id-token: write)
  • ❌ Being stripped out by proto shims
  • ❌ Not being set at all (configuration issue)

Expected Outcomes

If verification step PASSES but publish still fails:

→ Proto shims are stripping/not inheriting the OIDC variables
→ Need to find a proto-compatible solution

If verification step FAILS:

→ OIDC variables aren't being set by GitHub Actions
→ Need to investigate id-token: write permission setup

If both PASS:

→ OIDC is working! 🎉

Related

@GarthDB
test(ci): verify OIDC env and publish directly from workflow
af9ffef 
This tests if npm can detect OIDC when called directly from workflow steps
rather than through the changesets-action fork.

Approach:
1. Add verification step to confirm OIDC environment variables are present
2. Use changesets/action for versioning only (no publish parameter)
3. Manually run 'pnpm changeset publish' in a separate step
4. npm should auto-detect OIDC from GitHub Actions environment

This bypasses the complex environment variable passing through Node.js
process.env and tests if proto shims can work with OIDC when the variables
are already in the shell environment.

If this works, it means the proto shims CAN work with OIDC, we just need
to ensure the environment variables are available in the shell, not passed
through Node.js.

If this fails, it means there's a fundamental incompatibility between
proto shims and npm's OIDC auto-detection.
@changeset-bot
Copy link

changeset-bot bot commented Jan 23, 2026

⚠️ No Changeset found

Latest commit: af9ffef

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@GarthDB
Copy link
Member Author

GarthDB commented Jan 23, 2026

Run report for af9ffef5

Total time: 7.1ms | Comparison time: 0s | Estimated loss: 7.1ms (100.0% slower)

Action Time Status Info
🟩 SyncWorkspace 7ms Passed
Touched files
.github/workflows/release.yml

@GarthDB GarthDB merged commit 1e05b71 into main Jan 23, 2026
4 checks passed
@GarthDB GarthDB deleted the fix/oidc-shell-level-env branch January 23, 2026 23:14
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
fix(ci): use changesets-action v1.6.8 with explicit OIDC env passing
49dd54b 
This version explicitly passes OIDC environment variables to the publish
command execution, which should fix the proto shim compatibility issue.

Changes:
- Use GarthDB/changesets-action@v1.6.8 instead of changesets/action@v1
- Enable oidcAuth: true to activate explicit env var passing
- Restore single-step publish (no need for separate manual publish step)
- Remove verification step (v1.6.8 handles validation internally)

How v1.6.8 fixes the proto shim issue:
- PR #687 confirmed OIDC vars ARE present in GitHub Actions shell
- Previous versions failed because vars were lost through proto shim chain
- v1.6.8 explicitly passes env vars to exec() call using env option
- This forces OIDC variables through: action → pnpm → changeset → npm

Expected outcome:
✅ npm should detect OIDC from explicitly passed environment variables
✅ Packages should publish successfully with provenance
✅ Works with proto/moonrepo toolchains and standard environments

Related:
- v1.6.8 release: https://github.com/GarthDB/changesets-action/releases/tag/v1.6.8
- Root cause identified in PR #687
- Builds on npm 11.6.2 setup from PR #680
@GarthDB GarthDB mentioned this pull request Jan 23, 2026
Merged
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
fix(ci): use changesets-action v1.6.8 with explicit OIDC env passing (#…
00c4198 
…688)

This version explicitly passes OIDC environment variables to the publish
command execution, which should fix the proto shim compatibility issue.

Changes:
- Use GarthDB/changesets-action@v1.6.8 instead of changesets/action@v1
- Enable oidcAuth: true to activate explicit env var passing
- Restore single-step publish (no need for separate manual publish step)
- Remove verification step (v1.6.8 handles validation internally)

How v1.6.8 fixes the proto shim issue:
- PR #687 confirmed OIDC vars ARE present in GitHub Actions shell
- Previous versions failed because vars were lost through proto shim chain
- v1.6.8 explicitly passes env vars to exec() call using env option
- This forces OIDC variables through: action → pnpm → changeset → npm

Expected outcome:
✅ npm should detect OIDC from explicitly passed environment variables
✅ Packages should publish successfully with provenance
✅ Works with proto/moonrepo toolchains and standard environments

Related:
- v1.6.8 release: https://github.com/GarthDB/changesets-action/releases/tag/v1.6.8
- Root cause identified in PR #687
- Builds on npm 11.6.2 setup from PR #680
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
test(ci): bypass proto shims to test OIDC compatibility
b03c8bc 
This PR tests if npm OIDC works when we bypass proto/moonrepo shims entirely.

Changes:
- Replace moonrepo/setup-toolchain with actions/setup-node
- Install npm 11.6.2 directly (no proto shim)
- Install pnpm 10.17.1 directly (no proto shim)
- Install moon 1.39.1 directly (no proto shim)
- Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true

Purpose:
After exhaustive testing (v1.6.4-v1.6.8, PR #687), we've confirmed:
✅ OIDC environment variables ARE present in GitHub Actions
✅ npm 11.6.2 is the correct version
✅ Trusted publishers are configured correctly
❌ npm can't authenticate through proto shim chain

This test will definitively show if proto shims are the blocker.

Expected outcomes:

If this WORKS (✅ npm publishes successfully):
→ Proto shims are confirmed as the issue
→ We have two options:
  1. Use this direct install approach (no proto in release workflow)
  2. File bug with proto/moonrepo about OIDC support

If this FAILS (❌ still ENEEDAUTH):
→ Something else is wrong with OIDC setup
→ Fall back to NPM_TOKEN

Related:
- All v1.6.x attempts: ENEEDAUTH with proto
- PR #687: Confirmed OIDC vars present in shell
- PR #688: v1.6.8 still failed with proto
@GarthDB GarthDB mentioned this pull request Jan 23, 2026
Merged
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
test(ci): bypass proto shims to test OIDC compatibility (#689)
65d8cbd 
This PR tests if npm OIDC works when we bypass proto/moonrepo shims entirely.

Changes:
- Replace moonrepo/setup-toolchain with actions/setup-node
- Install npm 11.6.2 directly (no proto shim)
- Install pnpm 10.17.1 directly (no proto shim)
- Install moon 1.39.1 directly (no proto shim)
- Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true

Purpose:
After exhaustive testing (v1.6.4-v1.6.8, PR #687), we've confirmed:
✅ OIDC environment variables ARE present in GitHub Actions
✅ npm 11.6.2 is the correct version
✅ Trusted publishers are configured correctly
❌ npm can't authenticate through proto shim chain

This test will definitively show if proto shims are the blocker.

Expected outcomes:

If this WORKS (✅ npm publishes successfully):
→ Proto shims are confirmed as the issue
→ We have two options:
  1. Use this direct install approach (no proto in release workflow)
  2. File bug with proto/moonrepo about OIDC support

If this FAILS (❌ still ENEEDAUTH):
→ Something else is wrong with OIDC setup
→ Fall back to NPM_TOKEN

Related:
- All v1.6.x attempts: ENEEDAUTH with proto
- PR #687: Confirmed OIDC vars present in shell
- PR #688: v1.6.8 still failed with proto
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
fix(ci): bypass both proto and moon for OIDC testing
f79dcef 
Previous PR #689 failed because moon requires proto even when installed directly.
This PR bypasses both proto AND moon to test OIDC compatibility.

Changes:
- Remove moon entirely from release workflow
- Install Node.js, npm, and pnpm directly (no proto)
- Run pnpm install to get dependencies
- Build tokens package directly with node commands
- Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true

Why this should work:
- moon is tightly coupled to proto (requires proto shims)
- Only tokens package has build tasks (buildTokens + buildManifest)
- Other packages (component-schemas, design-system-registry) have no build
- Running build commands directly bypasses moon dependency on proto

Process flow without proto/moon:
1. Install Node.js 20.17.0 directly
2. Install npm 11.6.2 directly (OIDC compatible)
3. Install pnpm 10.17.1 directly
4. Run pnpm install (no shims involved)
5. Build tokens with direct node commands
6. changesets-action passes OIDC env vars to npm
7. npm publishes with OIDC (no shim interference)

Expected outcome:
✅ npm should detect OIDC and publish successfully

Related:
- PR #689: Failed because moon requires proto
- PR #688: v1.6.8 failed with proto shims
- PR #687: Confirmed OIDC vars present in shell
@GarthDB GarthDB mentioned this pull request Jan 23, 2026
Merged
GarthDB added a commit that referenced this pull request Jan 23, 2026
@GarthDB
fix(ci): bypass both proto and moon for OIDC testing (#690)
534122f 
Previous PR #689 failed because moon requires proto even when installed directly.
This PR bypasses both proto AND moon to test OIDC compatibility.

Changes:
- Remove moon entirely from release workflow
- Install Node.js, npm, and pnpm directly (no proto)
- Run pnpm install to get dependencies
- Build tokens package directly with node commands
- Keep GarthDB/changesets-action@v1.6.8 with oidcAuth: true

Why this should work:
- moon is tightly coupled to proto (requires proto shims)
- Only tokens package has build tasks (buildTokens + buildManifest)
- Other packages (component-schemas, design-system-registry) have no build
- Running build commands directly bypasses moon dependency on proto

Process flow without proto/moon:
1. Install Node.js 20.17.0 directly
2. Install npm 11.6.2 directly (OIDC compatible)
3. Install pnpm 10.17.1 directly
4. Run pnpm install (no shims involved)
5. Build tokens with direct node commands
6. changesets-action passes OIDC env vars to npm
7. npm publishes with OIDC (no shim interference)

Expected outcome:
✅ npm should detect OIDC and publish successfully

Related:
- PR #689: Failed because moon requires proto
- PR #688: v1.6.8 failed with proto shims
- PR #687: Confirmed OIDC vars present in shell
@GarthDB GarthDB mentioned this pull request Jan 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GarthDB