Skip to content

fix(release) use Node 24 and empty NODE_AUTH_TOKEN for OIDC publishing#24

Merged
indexzero merged 1 commit intomainfrom
fix/trusted-publisher
Apr 14, 2026
Merged

fix(release) use Node 24 and empty NODE_AUTH_TOKEN for OIDC publishing#24
indexzero merged 1 commit intomainfrom
fix/trusted-publisher

Conversation

@indexzero
Copy link
Copy Markdown
Owner

@indexzero indexzero commented Apr 14, 2026
edited
Loading

What

Switches the release workflow from Node 22 to Node 24 and sets NODE_AUTH_TOKEN to an empty string in the release step.

Why

npm OIDC trusted publishing requires npm >= 11.5.0. Node 22 ships with npm 10.x, while Node 24 ships with npm 11.x which has OIDC support built in. The empty NODE_AUTH_TOKEN prevents the .npmrc template (created by setup-node with registry-url) from interfering with the OIDC token exchange that happens during npm publish --provenance.

Risk Assessment

Low risk. Node 24 is already tested in CI. The release workflow only runs on manual dispatch.

References

@indexzero @claude
fix(release) use Node 24 for OIDC trusted publishing support
570d72f 
Node 24 ships with npm 11.x which includes OIDC trusted publishing.
Set NODE_AUTH_TOKEN to empty string so the .npmrc template does not
interfere with the OIDC token exchange at publish time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@indexzero indexzero merged commit 05fc209 into main Apr 14, 2026
5 checks passed
@indexzero indexzero deleted the fix/trusted-publisher branch April 14, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@indexzero