Skip to content

ci(release): switch npm publishing to OIDC trusted publishing#4466

Draft
cliffhall wants to merge 1 commit into
mainfrom
ci/npm-trusted-publishing
Draft

ci(release): switch npm publishing to OIDC trusted publishing#4466
cliffhall wants to merge 1 commit into
mainfrom
ci/npm-trusted-publishing

Conversation

@cliffhall

Copy link
Copy Markdown
Member

Summary

Phase 1 of #4463: make release.yml's npm publishing work via trusted publishing (OIDC) instead of the dead NPM_TOKEN, and nudge all four TypeScript packages into the next release matrix.

Both June release attempts (26882432128, 27626321345) published to PyPI but failed every npm leg with a disguised auth error (E404 on the publish PUT) — the token is expired and non-refreshable. Each @modelcontextprotocol/* package's npm trusted publisher is being registered against this workflow (release.yml) + the release environment, so the workflow must authenticate via OIDC.

Changes

.github/workflows/release.yml (publish-npm job):

  • Add permissions: id-token: write (required to mint the OIDC token; contents: read added explicitly since setting permissions drops defaults)
  • Upgrade the npm CLI in the job — trusted publishing requires npm ≥ 11.5.1, Node 22 bundles an older npm
  • Remove NODE_AUTH_TOKEN from the publish step

README touch in each TypeScript server so scripts/release.py includes all four in the next npm matrix (they're stranded on npm at 2026.1.26 while PyPI advanced to 2026.6.16):

  • everything: add the License section the other three servers already have
  • filesystem / memory / sequential-thinking: link the package's npm page under the intro

Merging is publish-safe

Merging this PR publishes nothing. Publishing only happens when a release-environment deployment is approved on a release.yml run (cron runs queue daily but sit awaiting approval). The actual release will be dispatched deliberately once the npm trusted-publisher registrations are complete for all four packages.

If a package's trusted publisher isn't registered by then, its matrix leg fails alone (fail-fast: false) and catches up in a later release.

Prerequisites before dispatching the release (not part of this PR)

  • npm trusted publisher registered for server-everything, server-memory, server-filesystem, server-sequential-thinking (workflow release.yml, environment release)
  • Reject the backlog of "waiting" release runs so no stale workflow snapshot can fire afterward
  • After the first successful OIDC publish: restrict the packages to trusted-publisher-only and delete the NPM_TOKEN secret

Part of #4463.

🤖 Generated with Claude Code

https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG

The NPM_TOKEN used by publish-npm is dead (npm classic-token sunset) —
both June release attempts failed publishing with a disguised auth error
(E404 on the publish PUT) after PyPI legs succeeded. Each
@modelcontextprotocol/* package's npm trusted publisher is being bound to
this workflow (release.yml) + the release environment, so publish-npm now
authenticates via OIDC instead of a token:

- add id-token: write permission to publish-npm (required to mint the
  OIDC token; contents: read added explicitly since setting permissions
  drops the defaults)
- upgrade the npm CLI in the publish job (trusted publishing requires
  npm >= 11.5.1; Node 22 bundles an older npm)
- drop NODE_AUTH_TOKEN from the publish step

Also touch each TypeScript server's README (add everything's missing
License section; link each package's npm page) so scripts/release.py
includes all four packages in the next npm publish matrix — they've been
stranded on npm at 2026.1.26 while PyPI advanced to 2026.6.16.

See #4463 for the rollout plan.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant