Remove npm token from workflow and Apply OIDC to publish packages

[irrationnelle]

Summary

This pull request implements OpenID Connect (OIDC) authentication for the npm package publishing workflow and enables provenance attestation for all published packages, enhancing the security and transparency of the release process.

Changes

Commit 3430f8f: Apply OIDC Authentication to GitHub Workflow

Modified the GitHub Actions release workflow (.github/workflows/release.yml) to utilize OIDC-based authentication instead of static token authentication:

• Added explicit permissions for OIDC token generation:

  • id-token: write - Enables OIDC token creation
  • contents: write - Maintains repository write access
  • pull-requests: write - Preserves PR management capabilities

• Removed static token authentication: Eliminated the NODE_AUTH_TOKEN environment variable that previously relied on the NPM_PUBLISH_TOKEN secret

This transition to OIDC provides enhanced security through short-lived, automatically-managed authentication tokens issued by GitHub's identity provider, eliminating the need for long-lived static credentials.

Commit 587367a: Enable Provenance Attestation

Updated the publishConfig section across all 16 publishable packages in the monorepo to include "provenance": true:

• @stackflow/config
• @stackflow/core
• @stackflow/react
• All extension packages (compat-await-push, link, plugin-*, react-ui-core)
• @stackflow/esbuild-config

Enabling provenance attestation provides cryptographically verifiable information about the build and publishing process, allowing package consumers to verify the authenticity and origin of published artifacts through npm's supply chain transparency features.

Benefits

1. Enhanced Security: OIDC tokens are ephemeral and scoped, reducing the attack surface compared to long-lived static tokens
2. Supply Chain Transparency: Provenance attestation provides verifiable build information, strengthening package integrity verification
3. Compliance: Aligns with npm's security best practices and modern authentication standards
4. Reduced Secret Management: Eliminates the need to rotate and manage static npm publish tokens

[changeset-bot]

🦋 Changeset detected

Latest commit: ffdfcdd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	stackflow-docs	ffdfcdd	Commit Preview URL	Nov 04 2025, 08:46 AM

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Enabled package provenance metadata for all packages and extensions.

• Chores

  • Updated release workflow permissions and package configurations to support provenance reporting during publication.

Walkthrough

Adds provenance: true to publishConfig in multiple package.json files (16 total) and updates the GitHub Actions release workflow to add permissions (id-token, contents, pull-requests) and remove the NODE_AUTH_TOKEN env var, relying on GITHUB_TOKEN instead.

Changes

Cohort / File(s)	Summary
GitHub Actions Release Workflow .github/workflows/release.yml	Adds a permissions block enabling id-token, contents, and pull-requests write access; removes NODE_AUTH_TOKEN environment variable from the publish step and relies on GITHUB_TOKEN.
Root & Core Packages config/package.json, core/package.json	Adds provenance: true to publishConfig.
Extensions (group A) extensions/compat-await-push/package.json, extensions/link/package.json, extensions/plugin-basic-ui/package.json, extensions/plugin-devtools/package.json, extensions/plugin-google-analytics-4/package.json	Adds provenance: true to publishConfig in each file.
Extensions (group B) extensions/plugin-history-sync/package.json, extensions/plugin-map-initial-activity/package.json, extensions/plugin-preload/package.json, extensions/plugin-renderer-basic/package.json, extensions/plugin-renderer-web/package.json, extensions/plugin-stack-depth-change/package.json, extensions/react-ui-core/package.json	Adds provenance: true to publishConfig in each file.
Integrations & Utility Packages integrations/react/package.json, packages/esbuild-config/package.json	Adds provenance: true to publishConfig.
Changeset .changeset/gold-ideas-burn.md	Adds new changeset file (contains YAML separators).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer / PR
  participant GH as GitHub Actions
  participant Registry as npm Registry
  rect rgb(235,245,255)
    note right of GH: Release job (updated)
  end
  Dev->>GH: Trigger release workflow (push/release)
  GH->>GH: Check permissions (id-token, contents, pull-requests)
  GH-->>GH: Use GITHUB_TOKEN for auth (NODE_AUTH_TOKEN removed)
  GH->>Registry: Publish packages (publishConfig includes provenance:true)
  alt publish success
    Registry-->>GH: 200 OK
    GH-->>Dev: Success
  else publish failure
    Registry-->>GH: Error
    GH-->>Dev: Failure notification
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Repetitive, identical metadata additions across many package.json files — quick consistency checks only.
• Review points:
  • .github/workflows/release.yml — confirm permission scope is minimal and publish step auth uses GITHUB_TOKEN correctly.
  • Spot-check a few modified package.json files for JSON formatting and trailing commas.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the two main changes: removing npm token authentication and applying OIDC to package publishing.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the OIDC implementation, provenance attestation, and the security benefits involved.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/apply-oidc-npm-registry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

@stackflow/demo

@stackflow/config

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/core

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/compat-await-push

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/link

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-basic-ui

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-devtools

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-google-analytics-4

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-history-sync

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-map-initial-activity

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-preload

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-renderer-basic

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-renderer-web

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/plugin-stack-depth-change

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/react-ui-core

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/react

yarn add https://pkg.pr.new/@stackflow/[email protected]

@stackflow/esbuild-config

yarn add https://pkg.pr.new/@stackflow/[email protected]

commit: ffdfcdd

[cloudflare-workers-and-pages]

Deploying stackflow-demo with    Cloudflare Pages

Latest commit:	ffdfcdd
Status:	✅  Deploy successful!
Preview URL:	https://f16d133d.stackflow-demo.pages.dev
Branch Preview URL:	https://fix-apply-oidc-npm-registry.stackflow-demo.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 587367a and ffdfcdd.

📒 Files selected for processing (1)

• .changeset/gold-ideas-burn.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Include a Changeset entry for any user-facing package change

Files:

• .changeset/gold-ideas-burn.md

🪛 LanguageTool

.changeset/gold-ideas-burn.md

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Workers Builds: stackflow-docs
• GitHub Check: Cloudflare Pages

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Changeset file is empty—requires package name and bump type.

This changeset file contains only YAML separators but is missing the required structured content. According to the coding guidelines, a Changeset entry is required for any user-facing package change.

The PR affects 16 publishable packages across the monorepo by adding "provenance": true to their publishConfig. The changeset should document these changes with the affected packages and their respective version bump types.

A proper changeset should follow this format:

---
"@stackflow/config": patch
"@stackflow/core": patch
"@stackflow/react": patch
"@stackflow/extension-link": patch
"@stackflow/plugin-history-sync": patch
"@stackflow/plugin-previous-stack": patch
"@stackflow/plugin-render-effect": patch
"@stackflow/react-ui-core": patch
"@stackflow/extension-basic-ui": patch
"@stackflow/esbuild-config": patch
---

Enable provenance attestation for npm packages via OIDC authentication. Updated publishConfig to include `"provenance": true` for cryptographic verification of build and publishing provenance. Also updated the GitHub Actions release workflow to use OIDC-based authentication instead of static npm tokens.

Please populate the changeset with the appropriate package names and version bump types (patch/minor/major) based on the semantic versioning impact of these changes.

🧰 Tools

🪛 LanguageTool

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

🤖 Prompt for AI Agents

In .changeset/gold-ideas-burn.md around lines 1 to 2, the changeset is empty;
replace the empty frontmatter with a proper changeset listing the affected
packages (all set to patch) and add the release note body. Populate the YAML
frontmatter with the 16 package names each mapped to patch: "@stackflow/config":
patch, "@stackflow/core": patch, "@stackflow/react": patch,
"@stackflow/extension-link": patch, "@stackflow/plugin-history-sync": patch,
"@stackflow/plugin-previous-stack": patch, "@stackflow/plugin-render-effect":
patch, "@stackflow/react-ui-core": patch, "@stackflow/extension-basic-ui":
patch, "@stackflow/esbuild-config": patch, "@stackflow/esbuild-plugin-swc":
patch, "@stackflow/esbuild-plugin-swc-aot": patch,
"@stackflow/esbuild-plugin-swc-react": patch, "@stackflow/cli": patch,
"@stackflow/release-workflow": patch, "@stackflow/publish-config": patch; close
the frontmatter and add the body text describing enabling provenance attestation
via `"provenance": true` in publishConfig, and the GitHub Actions update to
OIDC-based authentication.