[Feature] Publish packages to NPM via OIDC

[mxschmitt]

Motivation: Authentication flows are more and more secret-free / secret-less. OIDC provides a way to say in simple terms: allow publishing from GitHub repository github.com/foo/bar with branch 'main' to a new NPM version.

This is similar to how the authentication flow from GitHub Actions to Azure works and is recommended nowadays. There you set the OIDC subject to a similar value.

Similar to npm/feedback#872

Scope: npmjs.com

[Shegox]

I fully support this suggestion. Enabling OIDC federation between GitHub.com and npmjs.com would be incredibly beneficial, similar to how PyPI handles it: Configuring OpenID Connect in PyPI.

Our specific use case involves multiple repositories managed by different teams, all releasing packages under the same scope on npmjs. To manage permissions, we currently create granular access tokens and distribute them to the GitHub Actions Secrets of individual repositories. Since these granular access tokens cannot be created via API, the process must be done manually, including the manual rotation of these tokens, which is cumbersome.

Additionally, I would like to highlight a notable feature of the PyPI setup: the ability to configure OIDC for a not yet existing package. With npmjs.com, you must first create a dummy version before generating a granular access token for the package. If OIDC is implemented, it would be fantastic if we could directly set it up for packages that don't yet exist.

[janbrasna]

I would even go as far as suggesting that npmjs.com should be able to understand the actual GITHUB_TOKEN if granted packages:write and allow setting the publishing or connecting the package and its repo in the same way as the GH registry does.

I would have expected more integration since npm has been acquired some five years ago. (In my use-case, I'd still prefer to use npmjs registry for continuity instead of pkg.gh, but am not really willing to manage isolated users, permissions, accounts etc. separately there — and would love to just link the npmjs packages to the gh repos, and let the access controls there do their magic regarding teams, granular permissions, automation tokens etc. — eventually be just able to publish with GITHUB_TOKEN in CI…)

[0xGorilla]

How can we help move this forward? The current publishing workflow is quite dangerous, I think we can all agree on that one.

[leobalter]

I don't wanna break the spoilers here but we are actively working on this feature. I should have a post with timelines coming up in the next couple weeks.

[turtlemoji]

this are great news ❤️

[aripalo]

This is fantastic news! 🤩 I have a lot of workflows that dual publish to both GitHub Packages and npmjs.com. Having to manage the npmjs.com access tokens is kinda PITA (especially dealing with rotation) and potential security concern if done wrong.