ci: npm Trusted Publishing (OIDC) + mask Permit API key in logs#128
Merged
Conversation
The publish job authenticated to npm with a long-lived NPM_TOKEN secret, which expired and caused the 2.7.6 release to fail (registry returned "Not found" / 404 on publish). Mirror permit-fe-sdk's move to OIDC-based npm Trusted Publishing so releases no longer depend on a stored token. - add id-token: write (and contents: read) permissions for OIDC - run the job in the `production` environment (matches the npm Trusted Publisher config) - upgrade npm to latest at runtime (Trusted Publishing needs npm >= 11.5.1) - publish with `npm publish` instead of `yarn publish` (yarn classic does not support OIDC); drop the NODE_AUTH_TOKEN env - strip a leading `v` from the release tag before writing the version so tags like `v2.7.6` produce valid semver - provenance attestations are generated automatically under Trusted Publishing Requires a Trusted Publisher configured on npmjs.com for permitio/permit-node (workflow: node_sdk_publish.yaml, environment: production). The NPM_TOKEN repo secret can be removed once this is merged and a release succeeds. Refs PER-15197. Secret-leak hardening of this workflow tracked in PER-15241. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Fetch API_KEY step wrote the env api key to $GITHUB_ENV and echoed it directly, so it appeared in cleartext in the run logs and in the env-group dump of every later step. Register the value with ::add-mask:: before exporting it, and drop the explicit echo, so it is redacted everywhere. PROJECT_API_KEY should still be rotated since it was exposed in prior runs. Fixes PER-15241. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Hardens the Node SDK release workflow by switching npm publishing authentication to Trusted Publishing (OIDC) and preventing the dynamically-fetched Permit env API key from being logged in cleartext.
Changes:
- Configure the publish job for npm Trusted Publishing (OIDC) via
environment: productionandid-token: write, and switch publishing fromyarn publishtonpm publish. - Mask the fetched
ENV_API_KEYusing::add-mask::before exporting it to$GITHUB_ENV. - Normalize the release tag to a valid semver by stripping a leading
vbefore updatingpackage.json.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+27
to
+28
| - name: Upgrade npm for Trusted Publishing | ||
| run: npm install -g npm@latest && npm --version |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related CI hardening changes to
.github/workflows/node_sdk_publish.yaml:NPM_TOKEN— refs PER-151971. npm Trusted Publishing (OIDC)
Mirrors the approach just adopted in
permit-fe-sdk(d193a76).Why
The
2.7.6release (run 28086479788) failed on publish withCouldn't publish package: "https://registry.npmjs.org/permitio: Not found". That 404 is npm's response to an unauthorized publish — the long-livedNPM_TOKEN(last successful publish 2025-06-23, >1 year ago) had expired. Trusted Publishing removes the stored token: GitHub mints a short-lived OIDC credential per run that npm verifies against a configured Trusted Publisher.Changes
permissions: { contents: read, id-token: write }(OIDC requiresid-token: write)productionenvironment (matches the npm Trusted Publisher config)npm publishinstead ofyarn publish— yarn classic doesn't support OIDC — and dropNODE_AUTH_TOKENvfrom the release tag →v2.7.6becomes valid semver2.7.6The PDP integration-test flow (create env → run PDP →
yarn test→ delete env) is unchanged.2. Mask fetched Permit API key (PER-15241)
The Fetch API_KEY step wrote the env api key to
$GITHUB_ENVand echoed it directly, so it appeared in cleartext in the logs and in the env-group dump of every later step. Now the value is registered with::add-mask::before export and the explicit echo is removed, so it's redacted everywhere.A Trusted Publisher must be configured on npmjs.com (maintainer indicated this is done — please confirm it matches exactly):
permitio→ Settings → Trusted Publishers → GitHub Actionspermitio· Repository:permit-nodenode_sdk_publish.yamlproductionIf the npm config names a different workflow file or environment, the OIDC claim won't match and publish will fail. (fe-sdk's workflow is
release.yml; ours isnode_sdk_publish.yaml— most likely field to be mismatched if copied.)This repo has no
productionGitHub environment yet; referencing it creates it on first run with no protection rules.How to verify
2.7.6-rc.0, labeled Pre-release → publishespermitio@2.7.6-rc.0under thercdist-tag via OIDC (no token).npm view permitio@2.7.6-rc.0 dist.unpackedSize→ confirms the size fix (~3.5 MB) and that OIDC auth worked. Confirm the leaked key no longer appears in the run logs.2.7.6release labeled Latest.NPM_TOKENrepo secret and rotatePROJECT_API_KEY.Related
🤖 Generated with Claude Code