Configure NPM publishing with OIDC trusted publishers

[Copilot]

Migrates NPM publishing from long-lived NPM_TOKEN secrets to GitHub Actions OIDC authentication with provenance attestations.

Changes

• Workflow permissions: Added id-token: write and contents: read to publish job for OIDC token generation
• Publish command: Changed to npm publish --provenance --access public (from yarn publish with token auth)
• Removed: NODE_AUTH_TOKEN secret dependency
• Documentation: Added .github/PUBLISHING.md with trusted publisher configuration steps for npmjs.com

Setup Required

Repository maintainer must configure trusted publisher at npmjs.com:

• Organization: kulkultech
• Repository: tinyurl-client
• Workflow: test-and-publish.yml

After configuration, releases will publish automatically with cryptographic build provenance.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.npmjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

can you set publish using https://docs.npmjs.com/trusted-publishers#supported-cicd-providers

OIDC and trusted publisher.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR migrates the NPM publishing workflow from token-based authentication to OIDC (OpenID Connect) authentication using NPM's Trusted Publishers feature. This improves security by eliminating the need for long-lived NPM tokens stored as GitHub secrets.

Changes:

• Added OIDC permissions (id-token: write and contents: read) to the publish job
• Switched publish command to use npm publish --provenance --access public with provenance attestations
• Removed NODE_AUTH_TOKEN environment variable dependency

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow is using npm to publish, but the project consistently uses yarn everywhere else (install, build, cache configuration). While npm and yarn are interoperable, this inconsistency could be confusing and may cause unexpected behavior. Consider changing this to yarn publish --provenance --access public to maintain consistency with the rest of the workflow and project configuration.

Suggested change

	run: npm publish --provenance --access public
	run: yarn publish --provenance --access public

[charliecreates]

The OIDC permissions and npm publish --provenance change is directionally correct, but switching from yarn publish to npm publish risks release failures if versioning isn’t explicitly handled for the release.created trigger. The workflow also pins Node 16 (EOL), which is a compatibility and supply-chain risk for CI/CD publishing. Finally, the workflow now mixes Yarn for build with npm for publish; that can be OK, but it should be made intentional or standardized to avoid subtle publish-time differences.

Additional notes (3)

• Compatibility | .github/workflows/test-and-publish.yml:55-58
  Switching from yarn publish to npm publish can break releases if the package version isn’t bumped before publishing. yarn publish commonly handled versioning prompts/behavior, while npm publish will fail with You cannot publish over the previously published versions unless your release process already updates package.json version.

Given this workflow triggers on release.created, it’s worth making the version source explicit (tag-driven) or ensuring the version is already set in the repo at that ref.

• Compatibility | .github/workflows/test-and-publish.yml:41-43
  You’re still using Node.js 16, which is EOL. Even if it currently works, provenance/SLSA-related tooling and ecosystem packages are increasingly assuming newer runtimes, and this can become a surprise breakage for releases.

Upgrading the workflow runtime reduces supply-chain risk and avoids sudden deprecations in GitHub-hosted runners/actions.

• Maintainability | .github/workflows/test-and-publish.yml:43-43
  The publish job uses npm publish but dependency installation/build uses Yarn. That’s fine, but it increases the chance of publishing with the wrong lock/tooling expectations (e.g., if prepare/prepublishOnly scripts rely on Yarn assumptions). Also, npm publish will use .npmrc/npm config; setup-node sets up auth/registry config, but Yarn-specific config won’t apply.

If you keep mixed tooling, it’s worth making it intentional and stable.

Summary of changes

Workflow updates for NPM Trusted Publishing (OIDC)

• Added job-level permissions to the publish job:

  • contents: read
  • id-token: write

• Switched the publish step from Yarn + long-lived token auth:

  • yarn publish ... with NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  to npm CLI with provenance:

  • npm publish --provenance --access public

• Removed dependency on the NPM_TOKEN GitHub secret for publishing.