Skip to content

Add NPM release workflow with OIDC publishing support#168

Open
jlouk wants to merge 4 commits into
masterfrom
oidc-publishing-for-public-packages
Open

Add NPM release workflow with OIDC publishing support#168
jlouk wants to merge 4 commits into
masterfrom
oidc-publishing-for-public-packages

Conversation

@jlouk
Copy link
Copy Markdown

@jlouk jlouk commented Jun 4, 2026

This workflow uses the new is-public parameter from gha to enable NPM Trusted Publishing with OIDC authentication for @mapbox/cloudfriend.

jlouk and others added 2 commits June 4, 2026 08:52
@jlouk
Add NPM release workflow with OIDC publishing support
e5bcd88 
This workflow uses the new is-public parameter from gha to enable
NPM Trusted Publishing with OIDC authentication for @mapbox/cloudfriend.

This eliminates the need for NPM tokens and uses GitHub's OIDC to
securely publish public packages to npmjs.com.
@jlouk
Merge branch 'master' into oidc-publishing-for-public-packages
ee2923a
@ox-security
Copy link
Copy Markdown

ox-security Bot commented Jun 4, 2026
edited
Loading

OX Security Logo

Successfully scanned changes introduced in a pull request into master from oidc-publishing-for-public-packages.

Internal scan identifier: b7883538-ee87-43e9-b150-fde4b3d5cb41.

Total issues Blocking issues Scan status
1 0 ✔️
Category Issues
CI/CD Posture 1

See all issues found during this scan in the OX Security Application.

Detailed information
Issue #1
NameUnpinned Reusable Workflow • GitHub Actions
StatusNew
EnforcementMonitor
SeverityHigh
CategoryCI/CD Posture
Source toolsOX CI/CD Posture
RecommendationPin reusable workflows to a full-length commit SHA (40 characters) instead of a tag or branch. Example: uses: org/repo/.github/workflows/build.yml@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
1 aggregation
FileMatch
.github/workflows/npm-release.ymluses: mapbox/gha/.github/workflows/workflow-release-npm-package.yml@workflow-release-npm-package-v1

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 4, 2026
View reviewed changes
Comment thread .github/workflows/npm-release.yml Fixed
jlouk added 2 commits June 4, 2026 09:01
@jlouk
Empty commit to retrigger workflows
065b0be
@jlouk
Empty commit to retrigger workflows
b987788 
Use stable workflow version for testing after gha merge

Change from PR branch reference to workflow-release-npm-package-v1
so we can test once the gha PR is merged and promoted.
@jlouk jlouk marked this pull request as ready for review June 4, 2026 15:00
@jlouk jlouk requested a review from a team as a code owner June 4, 2026 15:00
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 4, 2026
View reviewed changes
Comment thread .github/workflows/npm-release.yml
Comment on lines +19 to +22
uses: mapbox/gha/.github/workflows/workflow-release-npm-package.yml@workflow-release-npm-package-v1
secrets: inherit
with:
is-public: true # Enable OIDC authentication for public packages
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

prerelease

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlouk @github-advanced-security