Skip to content

ci: manually exchange OIDC token instead of relying on npm auto-detect#105

Merged
JumpLink merged 1 commit into
mainfrom
ci/manual-oidc-exchange
Jun 16, 2026
Merged

ci: manually exchange OIDC token instead of relying on npm auto-detect#105
JumpLink merged 1 commit into
mainfrom
ci/manual-oidc-exchange

Conversation

@JumpLink

@JumpLink JumpLink commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

npm CLI's automatic Trusted Publishing OIDC detection returns ENEEDAUTH in this setup. This PR exchanges the token explicitly using curl, then writes it to ~/.npmrc before publishing — the same pattern @actions/core uses and that gjsify publish implements internally.

Fixes the provenance URL path bug too (cd packages/gnome-shell before npm publish instead of passing the path as argument).

@JumpLink
ci: manually exchange OIDC token instead of relying on npm auto-detect
6b6aa08 
npm CLI's automatic Trusted Publishing OIDC detection (via
ACTIONS_ID_TOKEN_REQUEST_URL) is not triggered reliably; the CLI still
returns ENEEDAUTH. Exchange the token explicitly using curl — the same
approach @actions/core uses — then write it to ~/.npmrc before publishing.

Uses string-concat for the audience parameter to avoid the
URLSearchParams dropping-audience bug documented in gjsify/gjsify.
@JumpLink JumpLink requested review from Totto16, schnz and swsnr as code owners June 16, 2026 19:11
@JumpLink JumpLink merged commit 94f454b into main Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Totto16 Totto16 Awaiting requested review from Totto16 Totto16 is a code owner

@swsnr swsnr Awaiting requested review from swsnr swsnr is a code owner

@schnz schnz Awaiting requested review from schnz schnz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JumpLink