Skip to content

chore: migrate npm publishing from token to OIDC#2

Merged
davidkonigsberg merged 1 commit into
mainfrom
devin/1779367519-migrate-oidc
May 21, 2026
Merged

chore: migrate npm publishing from token to OIDC#2
davidkonigsberg merged 1 commit into
mainfrom
devin/1779367519-migrate-oidc

Conversation

@davidkonigsberg
Copy link
Copy Markdown
Contributor

@davidkonigsberg davidkonigsberg commented May 21, 2026

Summary

Migrates @fern-api/incidentio npm publishing from using NPM_TOKEN secret to OIDC trusted publishing with provenance attestations.

Changes:

  • Added permissions: contents: read, id-token: write to the publish job
  • Added registry-url: https://registry.npmjs.org to setup-node step (required for OIDC)
  • Replaced token-based publish with npm publish --provenance
  • Removed NPM_TOKEN env var

Review & Testing Checklist for Human

  • Configure npm trusted publisher for @fern-api/incidentio at https://www.npmjs.com/package/@fern-api/incidentio/access → Trusted Publishers → Add GitHub Actions. Set repository to fern-api/incident-node, workflow file to ci.yml, environment blank.
  • After configuring trusted publisher, push a test tag to verify OIDC publish works
  • Revoke the old NPM_TOKEN secret from this repo's GitHub settings once confirmed working

Notes

This is part of a broader effort to remove all NPM auth tokens from the @fern-api organization and use OIDC trusted publishing exclusively. Without configuring the trusted publisher on npmjs.com first, the publish will fail.

Link to Devin session: https://app.devin.ai/sessions/82f5751c688442aba14fc2fbb515c352
Requested by: @davidkonigsberg

@devin-ai-integration @davidkonigsberg
chore: migrate npm publishing from token to OIDC
df1644d 
Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@davidkonigsberg davidkonigsberg requested a review from dsinghvi as a code owner May 21, 2026 12:48
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented May 21, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@davidkonigsberg davidkonigsberg merged commit cd721c5 into main May 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fern-support fern-support fern-support approved these changes

@dsinghvi dsinghvi Awaiting requested review from dsinghvi dsinghvi is a code owner

Assignees

@davidkonigsberg davidkonigsberg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidkonigsberg @fern-support