Skip to content

[Feature] Support for OIDC auth for npm publish #6831

Open
@cprecioso

Description

@cprecioso
  • I'd be willing to implement this feature (contributing guide)
    This feature is important to have in this repository; a contrib plugin wouldn't do

Describe the user story

As a developer, I want to automatically publish packages to the npm registry from my CI/CD pipeline, but this usually requires me to create and manage long-lived auth tokens, which can become security issues, or expire without notice.

Describe the solution you'd like

npm is implementing OIDC authentication in their CLI and registry. In this workflow, the CI provider creates and signs a short-lived OIDC token the tool can send to the registry (which decides whether to trust it based on the user's configuration) and get a short-lived auth token in exchange.

Describe the drawbacks of your solution

  • Adding complexity to the CLI
  • More environment-dependent functionality
  • Aligning too much with GitHub/NPM's way of doing things(?)

Describe alternatives you've considered

Why not make it a plugin? There's not a npm login hook AFAICS (https://yarnpkg.com/api/yarnpkg-core/interface/Hooks), and the npm registry functionality is already part of the core plugins. Moreover, other id-token interactions such as publish provenance are already implemented in core.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @cprecioso

        Issue actions

          [Feature] Support for OIDC auth for `npm publish` · Issue #6831 · yarnpkg/berry