From a7c0f4b83dea14becc499eb24a71de2ae065f5db Mon Sep 17 00:00:00 2001 From: Evan Rusackas Date: Thu, 18 Jun 2026 13:43:23 -0700 Subject: [PATCH] fix(embedded-sdk): omit registry-url so npm uses OIDC publishing (#41211) Co-authored-by: Claude Opus 4.8 --- .github/workflows/embedded-sdk-release.yml | 24 ++++++++++++++-------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/embedded-sdk-release.yml b/.github/workflows/embedded-sdk-release.yml index 5e5f43a5be7..67fc7e4b8a4 100644 --- a/.github/workflows/embedded-sdk-release.yml +++ b/.github/workflows/embedded-sdk-release.yml @@ -26,17 +26,23 @@ jobs: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false + # Note: registry-url is intentionally omitted. When set, actions/setup-node + # writes an .npmrc with `_authToken=${NODE_AUTH_TOKEN}` and a placeholder + # token, which makes npm attempt token auth and skip the OIDC + # trusted-publishing exchange. With no .npmrc auth line, npm authenticates + # via OIDC against the default registry (registry.npmjs.org). - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: "./superset-embedded-sdk/.nvmrc" - registry-url: "https://registry.npmjs.org" + # Diagnostic: confirm GitHub OIDC is granted to this job. npm trusted + # publishing needs the id-token request env vars; "no" here means OIDC was + # not issued and publishing cannot authenticate. + - name: Check OIDC availability + run: | + if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then + echo "GitHub OIDC available to job: yes" + else + echo "GitHub OIDC available to job: no" + fi - run: npm ci - run: npm run ci:release - env: - # actions/setup-node injects a placeholder NODE_AUTH_TOKEN - # (XXXXX-XXXXX-XXXXX-XXXXX) when registry-url is set, which makes npm - # attempt failed token auth and skip the OIDC trusted-publishing - # exchange. Clear it so npm authenticates via OIDC. The Node pinned in - # .nvmrc (v24.16.0) ships npm 11.13, satisfying the >= 11.5.1 - # trusted-publishing requirement, so no manual npm upgrade is needed. - NODE_AUTH_TOKEN: ""