chore: rely on OIDC when publishing to npm (#2710)

ankita10119 · web-flow · commit beea72a27536 · 2026-01-08T15:11:41.000+05:30
## Description Drop reliance on an NPM token and use **OIDC** instead for publishing SDKs by configuring **trusted publishers**. ## References * [https://docs.npmjs.com/trusted-publishers](https://docs.npmjs.com/trusted-publishers) ## Testing * This change adds test coverage for new, changed, or fixed functionality. ## Checklist * [ ] I have added documentation for new or changed functionality in this PR or on **auth0.com/docs** * [ ] All active GitHub checks for tests, formatting, and security are passing * [ ] The correct base branch is being used (if not the default branch)
diff --git a/.github/actions/npm-publish/action.yml b/.github/actions/npm-publish/action.yml
@@ -3,8 +3,6 @@ name: Publish release to npm
 inputs:
   node-version:
     required: true
-  npm-token:
-    required: true
   version:
     required: true
   require-build:
@@ -26,6 +24,10 @@ runs:
         cache: 'npm'
         registry-url: 'https://registry.npmjs.org'
 
+    - name: Update npm
+      shell: bash
+      run: npm install -g npm@11
+
     - name: Install dependencies
       if: inputs.require-build == 'true'
       shell: bash
@@ -47,7 +49,6 @@ runs:
         else
           TAG="latest"
         fi
-        npm publish --provenance --tag $TAG
+        npm publish --tag $TAG
       env:
-        NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
         VERSION: ${{ inputs.version }}
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -15,8 +15,6 @@ on:
     secrets:
       github-token:
         required: true
-      npm-token:
-        required: true
 
 ### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
 ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
@@ -26,6 +24,9 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       # Checkout the code
@@ -70,7 +71,6 @@ jobs:
           require-build: ${{ inputs.require-build }}
           release-directory: ${{ inputs.release-directory }}
           version: ${{ steps.get_version.outputs.version }}
-          npm-token: ${{ secrets.npm-token }}
 
       # Create a release for the tag
       - uses: ./.github/actions/release-create
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,5 +21,4 @@ jobs:
       node-version: 18
       require-build: true
     secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}
       github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -128,7 +128,7 @@
     "jsonp": "^0.2.1",
     "password-sheriff": "^1.1.1",
     "prop-types": "^15.8.0",
-    "qs": "^6.10.3",
+    "qs": "^6.14.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-transition-group": "^4.4.5",
