Skip to content

feat: support OIDC auth for GitHub Actions/GitLab #6898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arcanis merged 12 commits into from
Sep 18, 2025
Merged

feat: support OIDC auth for GitHub Actions/GitLab #6898

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d9b2a3a
feat: support OIDC auth for GitHub Actions/GitLab
cometkim Sep 13, 2025
82f58f3
prepare release
cometkim Sep 13, 2025
09b2407
fix
cometkim Sep 13, 2025
d2b5b66
request oidc token only on publishing
cometkim Sep 13, 2025
54d1528
fix
cometkim Sep 13, 2025
76fe4f6
make trusted publisher setting as optional
cometkim Sep 13, 2025
4951d0a
mark cli as minor
cometkim Sep 17, 2025
c568e5b
use process.env directly
cometkim Sep 17, 2025
e1ab5da
set OIDC audience to registry.npmjs.org
cometkim Sep 17, 2025
75fd4ff
fix audience
cometkim Sep 17, 2025
5addc9f
Versions
arcanis Sep 18, 2025
3730bf3
Merge branch 'master' into npm-trusted-publish
arcanis Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
set OIDC audience to registry.npmjs.org
  • Loading branch information
@cometkim
cometkim committed Sep 17, 2025
commit e1ab5daa7961e9260141e054569194aa810547e5
9 changes: 8 additions & 1 deletion packages/plugin-npm/sources/npmHttpUtils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -597,8 +597,15 @@ async function getOidcToken(registry: string, {configuration, ident}: {configura
if (!(process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN))
return null;

// The specification for an audience is `npm:registry.npmjs.org`,
// where "registry.npmjs.org" can be any supported registry.
const audience = `audience:${new URL(registry).host
// Yarn registry is an alias domain to the NPM registry.
.replace(`registry.yarnpkg.com`, `registry.npmjs.org`)
.replace(`yarn.npmjs.org`, `registry.npmjs.org`)}`;

const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL);
url.searchParams.append(`audience`, `npm:${new URL(registry).host}`);
url.searchParams.append(`audience`, audience);

const response = await httpUtils.get(url.href, {
configuration,
Expand Down
Loading