chore(ui-scripts): implement trusted publishing for npm

balzss · balzss · commit f9f44a452b3c · 2026-01-12T14:06:08.000+01:00
diff --git a/.github/workflows/_manual-release-reusable.yml b/.github/workflows/_manual-release-reusable.yml
@@ -1,5 +1,13 @@
-name: Manual Npm release
-on: workflow_dispatch
+name: Manual release to npm (Reusable)
+on:
+  workflow_call:
+    secrets:
+      inherit
+
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -19,10 +27,6 @@ jobs:
       - name: Set up project
         run: pnpm run bootstrap
       - name: Release to NPM
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
-          NPM_EMAIL: ${{secrets.NPM_EMAIL}}
-          NPM_USERNAME: ${{secrets.NPM_USERNAME}}
         run: pnpm run release
       - name: Get commit message
         run: | # puts the first line of the last commit message to the commmit_message env var
diff --git a/.github/workflows/_pr-release-reusable.yml b/.github/workflows/_pr-release-reusable.yml
@@ -1,5 +1,13 @@
-name: npm release from PR
-on: workflow_dispatch
+name: PR release to npm (Reusable)
+on:
+  workflow_call:
+    secrets:
+      inherit
+
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,10 +26,6 @@ jobs:
       - name: Set up project
         run: pnpm run bootstrap
       - name: Release to NPM
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
-          NPM_EMAIL: ${{secrets.NPM_EMAIL}}
-          NPM_USERNAME: ${{secrets.NPM_USERNAME}}
         run: pnpm run release -- --prRelease
       - name: Get commit message
         run: | # puts the first line of the last commit message to the commmit_message env var
diff --git a/.github/workflows/_release-reusable.yml b/.github/workflows/_release-reusable.yml
@@ -1,8 +1,13 @@
-name: AUTO npm release, docs deploy and ssr regression - on master
+name: Release to npm (Reusable)
 on:
-  push:
-    branches:
-      - master
+  workflow_call:
+    secrets:
+      inherit
+
+permissions:
+  id-token: write    # Required for OIDC
+  contents: write    # Required for git tags
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -23,11 +28,8 @@ jobs:
       - name: Run tests.
         run: USE_REACT_STRICT_MODE=0 pnpm run test:vitest
       - name: Release to NPM
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
-          NPM_EMAIL: ${{secrets.NPM_EMAIL}}
-          NPM_USERNAME: ${{secrets.NPM_USERNAME}}
         run: pnpm run release
+        # Note: No env block needed - OIDC auth is automatic
   tag:
     needs: release
     if: "startsWith(github.event.head_commit.message, 'chore(release)')"
diff --git a/.github/workflows/release_to_npm.yml b/.github/workflows/release_to_npm.yml
@@ -0,0 +1,48 @@
+name: Release to npm (OIDC Entry Point)
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Type of release to perform'
+        required: true
+        type: choice
+        options:
+          - manual
+          - pr-snapshot
+        default: 'manual'
+
+permissions:
+  id-token: write    # Required for OIDC token generation
+  contents: write    # Required for git operations (tagging)
+
+jobs:
+  # Automatic production release on push to master
+  auto-release:
+    if: github.event_name == 'push'
+    uses: ./.github/workflows/_release-reusable.yml
+    permissions:
+      id-token: write
+      contents: write
+    secrets: inherit
+
+  # Manual release (on-demand)
+  manual-release:
+    if: github.event_name == 'workflow_dispatch' && inputs.release_type == 'manual'
+    uses: ./.github/workflows/_manual-release-reusable.yml
+    permissions:
+      id-token: write
+      contents: write
+    secrets: inherit
+
+  # PR snapshot release
+  pr-release:
+    if: github.event_name == 'workflow_dispatch' && inputs.release_type == 'pr-snapshot'
+    uses: ./.github/workflows/_pr-release-reusable.yml
+    permissions:
+      id-token: write
+      contents: write
+    secrets: inherit
diff --git a/packages/ui-scripts/lib/commands/publish.js b/packages/ui-scripts/lib/commands/publish.js
@@ -215,7 +215,14 @@ async function publishPackage(pkg, tag) {
       setTimeout(resolve, delay)
     })
 
-  const publishArgs = ['publish', pkg.location, '--tag', tag, '--no-git-checks']
+  const publishArgs = [
+    'publish',
+    pkg.location,
+    '--tag',
+    tag,
+    '--no-git-checks',
+    '--provenance'
+  ]
   await runCommandAsync('pnpm', publishArgs)
 
   return wait(500)
diff --git a/packages/ui-scripts/lib/utils/npm.js b/packages/ui-scripts/lib/utils/npm.js
@@ -21,9 +21,6 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-import fs from 'fs'
-import path from 'path'
-import os from 'os'
 import semver from 'semver'
 import pkgUtils from '@instructure/pkg-utils'
 import {
@@ -34,11 +31,6 @@ import {
 } from '@instructure/command-utils'
 
 import { Project } from '@lerna/project'
-
-const NPM_SCOPE = '@instructure:registry=https://registry.npmjs.org/'
-
-// Track user .npmrc backup for cleanup
-let userNpmrcBackup = null
 const syncRootPackageVersion = async (useProjectVersion) => {
   const project = new Project(process.cwd())
   const rootPkg = pkgUtils.getPackage()
@@ -111,76 +103,23 @@ export async function bumpPackages(packageName, requestedVersion) {
 }
 
 export function createNPMRCFile() {
-  const { NPM_TOKEN, NPM_EMAIL, NPM_USERNAME } = process.env
-
-  // Only write an npmrc file if these are defined, otherwise assume the system is properly configured
-  if (NPM_TOKEN) {
-    const userHome = os.homedir()
-    const userNpmrcPath = path.join(userHome, '.npmrc')
-
-    // Backup existing user .npmrc if it exists
-    if (fs.existsSync(userNpmrcPath)) {
-      const existingContent = fs.readFileSync(userNpmrcPath, 'utf8')
-      userNpmrcBackup = {
-        path: userNpmrcPath,
-        content: existingContent,
-        existed: true
-      }
-      info(`📦  Backing up existing ${userNpmrcPath}`)
-    } else {
-      userNpmrcBackup = {
-        path: userNpmrcPath,
-        content: null,
-        existed: false
-      }
-    }
-
-    // Write auth credentials to user .npmrc
-    const authConfig = `//registry.npmjs.org/:_authToken=${NPM_TOKEN}\n${NPM_SCOPE}\nemail=${NPM_EMAIL}\nname=${NPM_USERNAME}\n`
-
-    if (userNpmrcBackup.existed) {
-      // Append to existing content
-      fs.writeFileSync(userNpmrcPath, userNpmrcBackup.content + '\n' + authConfig)
-    } else {
-      // Create new file
-      fs.writeFileSync(userNpmrcPath, authConfig)
-    }
-
-    info(`📦  Written auth config to ${userNpmrcPath}`)
-  }
+  info('📦  Using OIDC authentication (npm trusted publishing)')
 
+  // Verify OIDC authentication works
   try {
-    info('running pnpm whoami:')
+    info('📦  Running pnpm whoami to verify OIDC auth:')
     runCommandSync('pnpm', ['whoami'])
   } catch (e) {
-    error(`Could not determine if NPM auth was successful: ${e}`)
+    error(`Could not verify OIDC authentication: ${e}`)
+    error('Make sure:')
+    error('  1. Workflow has id-token: write permissions')
+    error('  2. npm packages are configured for trusted publishing')
+    error('  3. Workflow is running in GitHub Actions')
     process.exit(1)
   }
 }
 
 export function cleanupNPMRCFile() {
-  if (!userNpmrcBackup) {
-    // Nothing to cleanup
-    return
-  }
-
-  try {
-    if (userNpmrcBackup.existed) {
-      // Restore original content
-      fs.writeFileSync(userNpmrcBackup.path, userNpmrcBackup.content)
-      info(`📦  Restored original ${userNpmrcBackup.path}`)
-    } else {
-      // Remove the file we created
-      if (fs.existsSync(userNpmrcBackup.path)) {
-        fs.unlinkSync(userNpmrcBackup.path)
-        info(`📦  Removed ${userNpmrcBackup.path}`)
-      }
-    }
-  } catch (e) {
-    error(`Failed to cleanup .npmrc: ${e}`)
-    // Don't exit - cleanup failure shouldn't break the release
-  } finally {
-    // Reset backup state
-    userNpmrcBackup = null
-  }
+  // No cleanup needed with OIDC authentication
+  // This function is kept for backward compatibility
 }
