Skip to content

ci: npm Trusted Publishing (OIDC) + mask Permit API key in logs#128

Merged
dshoen619 merged 2 commits into
mainfrom
david/per-15197-npm-trusted-publishing
Jun 24, 2026
Merged

ci: npm Trusted Publishing (OIDC) + mask Permit API key in logs#128
dshoen619 merged 2 commits into
mainfrom
david/per-15197-npm-trusted-publishing

Conversation

@dshoen619

@dshoen619 dshoen619 commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

Two related CI hardening changes to .github/workflows/node_sdk_publish.yaml:

  1. Switch npm auth to Trusted Publishing (OIDC), remove NPM_TOKEN — refs PER-15197
  2. Mask the fetched Permit API key so it is no longer logged in cleartext — fixes PER-15241

1. npm Trusted Publishing (OIDC)

Mirrors the approach just adopted in permit-fe-sdk (d193a76).

Why

The 2.7.6 release (run 28086479788) failed on publish with Couldn't publish package: "https://registry.npmjs.org/permitio: Not found". That 404 is npm's response to an unauthorized publish — the long-lived NPM_TOKEN (last successful publish 2025-06-23, >1 year ago) had expired. Trusted Publishing removes the stored token: GitHub mints a short-lived OIDC credential per run that npm verifies against a configured Trusted Publisher.

Changes

  • Add permissions: { contents: read, id-token: write } (OIDC requires id-token: write)
  • Run the job in the production environment (matches the npm Trusted Publisher config)
  • Upgrade npm to latest at runtime (Trusted Publishing needs npm ≥ 11.5.1)
  • Publish with npm publish instead of yarn publish — yarn classic doesn't support OIDC — and drop NODE_AUTH_TOKEN
  • Strip a leading v from the release tag → v2.7.6 becomes valid semver 2.7.6
  • Provenance attestations are generated automatically

The PDP integration-test flow (create env → run PDP → yarn test → delete env) is unchanged.

2. Mask fetched Permit API key (PER-15241)

The Fetch API_KEY step wrote the env api key to $GITHUB_ENV and echoed it directly, so it appeared in cleartext in the logs and in the env-group dump of every later step. Now the value is registered with ::add-mask:: before export and the explicit echo is removed, so it's redacted everywhere.

Follow-up still required: rotate PROJECT_API_KEY, since it was exposed in prior run logs.


⚠️ Required before this can publish

A Trusted Publisher must be configured on npmjs.com (maintainer indicated this is done — please confirm it matches exactly):

  • Package: permitio → Settings → Trusted Publishers → GitHub Actions
  • Owner: permitio · Repository: permit-node
  • Workflow filename: node_sdk_publish.yaml
  • Environment: production

If the npm config names a different workflow file or environment, the OIDC claim won't match and publish will fail. (fe-sdk's workflow is release.yml; ours is node_sdk_publish.yaml — most likely field to be mismatched if copied.)

This repo has no production GitHub environment yet; referencing it creates it on first run with no protection rules.

How to verify

  1. Merge → create a GitHub Release tagged 2.7.6-rc.0, labeled Pre-release → publishes permitio@2.7.6-rc.0 under the rc dist-tag via OIDC (no token).
  2. npm view permitio@2.7.6-rc.0 dist.unpackedSize → confirms the size fix (~3.5 MB) and that OIDC auth worked. Confirm the leaked key no longer appears in the run logs.
  3. Promote with a 2.7.6 release labeled Latest.
  4. After a green publish: delete the NPM_TOKEN repo secret and rotate PROJECT_API_KEY.

Related

  • Refs PER-15197 (package-size fix)
  • Fixes PER-15241 (cleartext API-key logging)

🤖 Generated with Claude Code

The publish job authenticated to npm with a long-lived NPM_TOKEN secret,
which expired and caused the 2.7.6 release to fail (registry returned
"Not found" / 404 on publish). Mirror permit-fe-sdk's move to OIDC-based
npm Trusted Publishing so releases no longer depend on a stored token.

- add id-token: write (and contents: read) permissions for OIDC
- run the job in the `production` environment (matches the npm Trusted
  Publisher config)
- upgrade npm to latest at runtime (Trusted Publishing needs npm >= 11.5.1)
- publish with `npm publish` instead of `yarn publish` (yarn classic does
  not support OIDC); drop the NODE_AUTH_TOKEN env
- strip a leading `v` from the release tag before writing the version so
  tags like `v2.7.6` produce valid semver
- provenance attestations are generated automatically under Trusted Publishing

Requires a Trusted Publisher configured on npmjs.com for permitio/permit-node
(workflow: node_sdk_publish.yaml, environment: production). The NPM_TOKEN
repo secret can be removed once this is merged and a release succeeds.

Refs PER-15197. Secret-leak hardening of this workflow tracked in PER-15241.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@linear-code

linear-code Bot commented Jun 24, 2026

Copy link
Copy Markdown

PER-15197

PER-15241

The Fetch API_KEY step wrote the env api key to $GITHUB_ENV and echoed it
directly, so it appeared in cleartext in the run logs and in the env-group
dump of every later step. Register the value with ::add-mask:: before
exporting it, and drop the explicit echo, so it is redacted everywhere.

PROJECT_API_KEY should still be rotated since it was exposed in prior runs.

Fixes PER-15241.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dshoen619 dshoen619 changed the title ci: publish via npm Trusted Publishing (OIDC) instead of NPM_TOKEN ci: npm Trusted Publishing (OIDC) + mask Permit API key in logs Jun 24, 2026
@dshoen619 dshoen619 requested a review from Copilot June 24, 2026 10:57
@dshoen619 dshoen619 self-assigned this Jun 24, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the Node SDK release workflow by switching npm publishing authentication to Trusted Publishing (OIDC) and preventing the dynamically-fetched Permit env API key from being logged in cleartext.

Changes:

  • Configure the publish job for npm Trusted Publishing (OIDC) via environment: production and id-token: write, and switch publishing from yarn publish to npm publish.
  • Mask the fetched ENV_API_KEY using ::add-mask:: before exporting it to $GITHUB_ENV.
  • Normalize the release tag to a valid semver by stripping a leading v before updating package.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +27 to +28
- name: Upgrade npm for Trusted Publishing
run: npm install -g npm@latest && npm --version
@dshoen619 dshoen619 merged commit 64b75ac into main Jun 24, 2026
3 checks passed
@dshoen619 dshoen619 deleted the david/per-15197-npm-trusted-publishing branch June 24, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants