Skip to content

Migrate npm publishing to Trusted Publishers (eliminate static NPM_TOKEN) #12

Open
Open
Migrate npm publishing to Trusted Publishers (eliminate static NPM_TOKEN)#12
Labels
enhancementNew feature or request

Description

@kayodebristol
kayodebristol
opened on Jun 9, 2026

Summary

Migrate all plures org npm packages from static NPM_TOKEN authentication to npm's Trusted Publishers (OIDC-based keyless publishing). This eliminates the need for manual token rotation and reduces secret sprawl.

Current State (after this commit)

  • id-token: write permission set in reusable workflow
  • --provenance flag added to
    pm publish (commit 1f4d65b)
  • Provenance attestations will now appear on each published package version on npmjs.org
  • Static NPM_TOKEN is still required for actual authentication

Migration Plan

Phase 1: Provenance Attestation (DONE)

The --provenance flag attaches a Sigstore-signed attestation to each publish, proving the package was built from a specific commit in this repo. This is now live.

Phase 2: Configure npm Trusted Publishers (MANUAL — requires web UI)

For each package, a maintainer must:

  1. Go to https://www.npmjs.com/package/@plures//access
  2. Under Publishing accessTrusted Publishers, click "Add trusted publisher"
  3. Configure:
    • Repository owner: plures
    • Repository name: the source repo (e.g., pluresdb, praxis, etc.)
    • Workflow filename:
      elease.yml (the per-repo workflow that calls the reusable one)
    • Environment: (leave blank unless using GitHub Environments)
  4. Repeat for every package

Packages to configure:

  • @plures/pluresdb → repo: pluresdb
  • @plures/praxis → repo: praxis
  • @plures/pares-agens → repo: pares-agens
  • @plures/plureslm → repo: pluresLM
  • @plures/pares-radix → repo: pares-radix
  • @plures/pares-modulus → repo: pares-modulus

Phase 3: Remove Static Token

Once Trusted Publishers is configured and verified:

  1. Do a test publish from GitHub Actions without NPM_TOKEN set
  2. Verify the OIDC flow works end-to-end
  3. Remove NPM_TOKEN from org secrets
  4. Update the workflow to remove the NODE_AUTH_TOKEN env var (or make it conditional)

References

Interim: Token Rotation

Until Phase 2 is complete, NPM_TOKEN must be rotated periodically. Current rotation schedule: every 90 days. Set a reminder.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions