fix(#1440): Support NPM OIDC tokens by not exporting default NODE_AUTH_TOKEN#1477
fix(#1440): Support NPM OIDC tokens by not exporting default NODE_AUTH_TOKEN#1477Satishchoudhary94 wants to merge 1 commit intoactions:mainfrom
Conversation
…ODE_AUTH_TOKEN This change addresses issue actions#1440 where NPM OIDC authentication was broken because the action was exporting a fake NODE_AUTH_TOKEN value by default. NPM OIDC requires NODE_AUTH_TOKEN to either be unset or empty for proper authentication. The fix only exports NODE_AUTH_TOKEN if it was explicitly set by the user, allowing OIDC to work while maintaining backward compatibility for users who explicitly provide tokens. BREAKING CHANGE: Users who rely on the fake default token should now explicitly provide NODE_AUTH_TOKEN in their workflows or use OIDC authentication. Fixes actions#1440 Related: actions#1440
|
Lost an entire day debugging trusted publishing today when it was this secret token the entire time. The world will be a better place if this PR gets merged! |
|
@jrjohnson Thanks for confirming this helps! Appreciate the feedback 🙌 |
|
Hi @Satishchoudhary94, thank you for your contribution! @jrjohnson, @TheJefe, as discussed in the comments on issue #1440, we were able to successfully publish to npm using OIDC with the existing setup-node code. Could you please check and confirm if you are also able to do so on your end? @Satishchoudhary94 , could you kindly let us know whether these changes are still needed and share any specific use cases that required these file modifications? We truly appreciate your effort and look forward to hearing from you. Thanks! |
|
Hi everyone, Gentle reminder on this. Looking forward to your update when you have a moment. |
|
Hi @gowridurgad, thanks a lot for taking the time to check this. I went through this again carefully from my side. From what i’ve observed, this issue seems to depend on the environment. In cases where a default At the same time, I completely understand why it may be working fine in your setup if the variable isn’t being injected or is already unset, the issue won’t show up. So this change is mainly to make the behavior safer and more predictable: -->Avoid exporting a placeholder token by default This also aligns with feedback from users who had to manually unset If it helps, I’m happy to share a minimal repro workflow where this difference is visible. Totally open to suggestions or improvements here as well. Thanks again for the review!. |
4 participants
Problem
The action was exporting a fake NODE_AUTH_TOKEN value (
XXXXX-XXXXX-XXXXX-XXXXX) by default,which broke NPM OIDC authentication. OIDC requires NODE_AUTH_TOKEN to be either unset or empty.
Solution
Only export NODE_AUTH_TOKEN if it was explicitly provided by the user.
Changes
configAuthentication()in authutil.ts to check if NODE_AUTH_TOKEN exists before exportingTesting