Summary

This PR migrates the npm publishing process from traditional token-based authentication to OpenID Connect (OIDC) trusted publishing. This enhancement provides automatic package provenance, improved security through short-lived tokens, and verifiable build attestations for all published packages.

Key Changes

• OIDC Authentication: Replaced long-lived NPM_TOKEN with GitHub's OIDC provider for secure, temporary authentication
• Package Provenance: Enabled automatic provenance generation for all npm packages, providing cryptographic proof of build origin
• Provenance Monitoring: Added automated workflow to track provenance status across all packages and provide visibility through PR comments

Motivation

Traditional npm tokens pose several security risks:

• Long-lived credentials that can be compromised
• No automatic link between published packages and their source code
• Limited auditability of package origins

OIDC trusted publishing addresses these concerns by:

• Using short-lived tokens that expire after each workflow run
• Establishing cryptographic proof linking packages to their GitHub source
• Enabling npm users to verify package authenticity through provenance attestations

Changes in Detail

1. Release Workflow Migration (.github/workflows/release.yml)

• Added id-token: write permission to enable OIDC token generation
• Added NPM_CONFIG_PROVENANCE: true environment variable for automatic provenance
• Removed NPM_TOKEN and NODE_AUTH_TOKEN from secrets
• Updated publish step to use OIDC authentication implicitly
• Enhanced documentation with OIDC configuration details
• Fixed template injection vulnerabilities identified by zizmor

2. Provenance Status Monitoring (.github/workflows/check-provenance.yml)

New workflow that:

• Checks provenance status for all published packages
• Runs on PRs that modify package configurations
• Provides automated PR comments with provenance status
• Sets commit status checks for visibility
• Handles both published and unpublished packages gracefully

Security Benefits

1. No Long-Lived Secrets: Eliminates the need for storing NPM_TOKEN in GitHub secrets
2. Verifiable Builds: Users can verify packages were built and published from this repository
3. Supply Chain Security: Provides transparency about package origins and build environment
4. Automatic Rotation: Tokens are automatically rotated with each workflow run
5. Template Injection Protection: Fixed potential security vulnerabilities in GitHub Actions scripts

Breaking Changes

None. This change is transparent to package consumers and maintains backward compatibility.

Test Plan

Manual Verification Required

1. Release Process Validation

   • Trigger a test release on a feature branch
   • Verify OIDC authentication succeeds without npm token
   • Confirm packages are published with provenance badges on npm

2. Provenance Check Workflow

   • Create a test PR modifying package.json
   • Verify the provenance check workflow runs and comments on the PR
   • Confirm the comment correctly identifies packages with/without provenance

3. npm Registry Verification

   • After publishing, visit npm package pages
   • Verify the "Provenance" badge appears next to package versions
   • Click provenance link to confirm it shows correct GitHub repository and workflow

4. Error Scenarios

   • Test workflow behavior if npm registry is unavailable
   • Verify graceful handling of unpublished packages
   • Confirm workflow continues if provenance check fails for individual packages

Migration Notes

• The repository must be configured for OIDC publishing on npm (one-time setup per package)
• Existing NPM_TOKEN secret can be removed after successful migration
• First release with OIDC will establish the trusted publisher relationship

References

• npm Trusted Publishing Documentation
• GitHub OIDC for npm
• npm Provenance RFC
• Reference implementation: secretlint