chore: Move to OIDC authentication for NPM publishing. #1009
Conversation
| with: | ||
| aws_assume_role: ${{ inputs.aws_assume_role }} | ||
| ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN' | ||
| - name: Setup .yarnrc.yml |
There was a problem hiding this comment.
I am reasonably sure this is a remnant from when we used yarn to publish. We moved back to NPM to support provenance. We also need NPM in order to use OIDC.
|
@launchdarkly/browser size report |
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/js-client-sdk-common size report |
|
@launchdarkly/js-client-sdk size report |
kinyoklion
force-pushed
the
rlamb/oidc-publishing
branch
from
2399ec6 to
7860383
Compare
| if: ${{ needs.release-please.outputs.package-common-released == 'true'}} | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 |
There was a problem hiding this comment.
Moved this into a shared action ran from full-release to make it easier to keep things uniform.
|
|
||
| - name: Update npm | ||
| shell: bash | ||
| # Must be greater than 11.5.1 for OIDC. |
There was a problem hiding this comment.
I am hesitant to use latest here. But renovate should keep it updated. But we will have to make sure the versions it wants to use work with the node version we have selected.
This PR moves to OIDC publishing from using token based authentication.
The OIDC integration between npmjs and github only supports a single workflow to publish from. Previously we used two publishing workflows depending on if it was an automated release or manual. Now that we are limited to a single workflow we have to combine these two operations, and that combination constitutes the majority of the changes.
I ran a pre-pre-release of @launchdarkly/js-client-sdk from the
rlamb/test-oidcbranch.The run can be seen here:
https://github.com/launchdarkly/js-core/actions/runs/19478232676/job/55743422983
Note
Consolidates automated and manual publishing into a single release-please workflow, switches npm publishing to OIDC, centralizes Node setup, and updates docs.
./github/workflows/release-please.ymlviaworkflow_dispatch(adds inputs, prerelease/dry-run) and removemanual-publish.yml.actions/setup-release-nodecomposite to standardize Node 24 and npm 11.6.2.setup-release-nodeinactions/full-releaseand workflow jobs; remove per-jobsetup-nodesteps.actions/full-release.publish-jsrandpublishsteps; manual job supports Redis/DynamoDB setup when needed.contributing/publishing.mdto describe the unified workflow and manual/automated paths; adjust references torelease-please.yml.Written by Cursor Bugbot for commit 7860383. This will update automatically on new commits. Configure here.