Skip to content

Migrate npm publishing to OIDC trusted publishing#77

Merged
saschabuehrle merged 1 commit intomainfrom
feat/npm-oidc-publishing
Nov 19, 2025
Merged

Migrate npm publishing to OIDC trusted publishing#77
saschabuehrle merged 1 commit intomainfrom
feat/npm-oidc-publishing

Conversation

@saschabuehrle
Copy link
Copy Markdown
Collaborator

@saschabuehrle saschabuehrle commented Nov 19, 2025

Summary

Migrates npm publishing from classic tokens to OIDC trusted publishing to comply with npm's November 19, 2025 security requirements.

Changes

  • ✅ Removed NODE_AUTH_TOKEN dependency - No more token secrets
  • ✅ Added npm CLI update step - Ensures v11.5.1+ for OIDC
  • ✅ Standardized all packages to use npm publish with provenance
  • ✅ Published @cascadeflow/langchain@0.6.0 (first release)
  • 📦 Package: https://www.npmjs.com/package/@cascadeflow/langchain

Security Benefits

  • 🔒 No long-lived tokens in GitHub secrets
  • ✅ Automatic provenance attestations
  • 🎯 Package-specific permissions
  • 📝 Complies with npm Nov 19, 2025 security mandate

Configuration Required

Each package needs trusted publisher on npmjs.com:

  • Organization: lemony-ai
  • Repository: cascadeflow
  • Workflow: publish.yml
  • Environment: npm

Co-Authored-By: Claude noreply@anthropic.com

@saschabuehrle @claude
Migrate npm publishing to OIDC trusted publishing
1da1b05 
Breaking Changes:
- Removed NPM_TOKEN secret dependency from workflow
- All npm packages now use OIDC for authentication

New Features:
- Added npm CLI update step to ensure v11.5.1+ for OIDC support
- Automatic provenance generation for all packages
- Token-less publishing via OpenID Connect

Package Changes:
- Changed @cascadeflow/n8n-nodes-cascadeflow to use npm publish (was pnpm)
- Renamed workflow step for @cascadeflow/langchain package
- All packages now consistently use: npm publish --access public --provenance

Requirements:
- Each package must have trusted publisher configured on npmjs.com
- Configuration: org=lemony-ai, repo=cascadeflow, workflow=publish.yml, env=npm
- GitHub Actions environment "npm" must have id-token: write permission

Security Improvements:
- Eliminates long-lived token storage in GitHub secrets
- Uses short-lived OIDC tokens per publish job
- Complies with npm's November 2025 security requirements

Related:
- npm deprecated classic tokens on 2025-11-19
- First publish of @cascadeflow/langchain@0.6.0

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@saschabuehrle saschabuehrle merged commit 2c01fe0 into main Nov 19, 2025
19 checks passed
@saschabuehrle saschabuehrle deleted the feat/npm-oidc-publishing branch November 19, 2025 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci/cd size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saschabuehrle