Skip to content

fix: use NPM_TOKEN for npm publish #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jack-arturo wants to merge 1 commit into
base: main
Choose a base branch
from
+6 −3
Open

fix: use NPM_TOKEN for npm publish #21

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,17 @@ jobs:
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"

- run: npm ci
- run: npm run build
- run: npm test

# Trusted Publishing: No NPM_TOKEN needed!
- run: npm publish --access public --provenance
# Trusted Publishing via OIDC - no NPM_TOKEN needed
- run: |
echo "//registry.npmjs.org/:_authToken=\${NODE_AUTH_TOKEN}" > ~/.npmrc
npm publish --access public --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Comment on lines +62 to +67
Copy link

@coderabbitai coderabbitai bot Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical inconsistency between PR objectives, comment, and implementation.

There are several contradictions here:

  1. PR objective states: "OIDC trusted publishing isn't working. Fall back to token-based auth"
  2. Line 62 comment claims: "Trusted Publishing via OIDC - no NPM_TOKEN needed"
  3. Line 67 implementation: Uses secrets.NPM_TOKEN for authentication

Additionally, the --provenance flag at line 65 is typically associated with OIDC trusted publishing. If you're truly falling back to token-based authentication, you should:

  • Update the comment to reflect token-based authentication
  • Verify that --provenance works with token-based auth (or remove it if it doesn't)
  • Ensure the npmrc configuration approach is correct for your use case
🔎 Proposed fix for consistent token-based authentication 
-      # Trusted Publishing via OIDC - no NPM_TOKEN needed
+      # Token-based authentication using NPM_TOKEN
       - run: |
           echo "//registry.npmjs.org/:_authToken=\${NODE_AUTH_TOKEN}" > ~/.npmrc
-          npm publish --access public --provenance
+          npm publish --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Note: If you want to keep --provenance for attestation generation, verify that it works with token-based auth and document this in the comment.

🤖 Prompt for AI Agents 
In @.github/workflows/release-please.yml around lines 62-67, The workflow step
that currently echoes an npm token into ~/.npmrc and runs `npm publish --access
public --provenance` is inconsistent with the PR objective/inline comment;
update the inline comment to state this step is a token-based fallback, ensure
the env var and secret usage is explicit (use NODE_AUTH_TOKEN from
secrets.NPM_TOKEN) and confirm the echo line correctly interpolates that token,
and either verify that `--provenance` is supported with token-based publishing
(and add a short comment if verified) or remove the `--provenance` flag if it is
not supported.


mcp-registry-publish:
needs: [release-please, npm-publish]
Expand Down
Loading