🚀 Coming Soon: OpenID Connect (OIDC) Support for npm Registry

[leobalter]

Hello npm community! 👋

We're excited to announce that we're bringing OpenID Connect (OIDC) authentication to the npm registry! This new feature will enable more secure, token-less authentication for publishing packages in your CI/CD workflows.

What's Coming?

OIDC support will allow you to publish npm packages from your CI/CD workflows without managing npm tokens. Your CI/CD provider's identity tokens will authenticate directly with the npm registry, providing:

• 🔐 Enhanced Security: No more long-lived tokens stored in your CI/CD secrets
• 🔄 Simplified Token Management: Automatic, short-lived authentication
• 🏗️ Trusted Publishing: Packages published directly from verified CI/CD workflows
• 🚀 Native CI/CD Integration: Seamless authentication in your existing pipelines

Initial Platform Support

At launch, we'll support package publishing from:

• GitHub Actions workflows
• GitLab CI/CD pipelines

We plan to expand support to additional platforms based on community feedback and demand.

Timeline

• 🔧 npm CLI Support: a PR with The CLI changes is ready (before the registry feature goes live)
• 🎯 Private Preview: June 2025 - Limited access for early testers
• 🌍 Public Release: July 2025 (tentative) - General availability for all users

Note: Timelines are subject to change based on testing and feedback during the private preview.

Get Involved!

We want to hear from you! This thread is your space to:

• 🙋 Express interest in joining the private preview
• 💭 Share feedback on the upcoming feature
• 🤔 Ask questions about OIDC implementation
• 🚀 Suggest additional platforms you'd like to see supported
• 📝 Discuss use cases for secure package publishing

Interested in the Private Preview?

If you'd like to be considered for the private preview in June, please comment below with:

1. Your use case for OIDC-based package publishing
2. Which platform you'd primarily use (GitHub Actions or GitLab)
3. How many packages you typically publish and how often

Stay Updated

We'll use this thread to share updates, documentation links, and gather feedback throughout the rollout. Make sure to watch this discussion to stay informed!

Looking forward to your feedback and building this together with the community! 🎉

---

The npm Team at GitHub

[blaine-arcjet]

Super excited for OIDC support on npm! We at Arcjet would love to be part of the private preview in June.

1. Your use case for OIDC-based package publishing

We publish the arcjet-js SDK to npm but don't currently use CI publishing due to security concerns around long-lived tokens. We also want to add build provenance which is easiest using CI publishing.

2. Which platform you'd primarily use (GitHub Actions or GitLab)

GitHub Actions.

3. How many packages you typically publish and how often

I think we're up to 33 packages now. We generally publish once or twice per month.

[arcjet-rei]

Just cosigning to say that strengthening the chain of custody and also improving Arcjet's ability to automate more steps of the publishing process would be extremely useful in making it easier for us to deploy more often and with greater confidence.

[travi]

🙋 Express interest in joining the private preview

we'd love to be involved in the preview so we can make sure semantic-release is ready for the public release.

1. ensure we can support folks publishing with the semantic-release npm plugin
2. GitHub Actions
3. we have 24 packages within the semantic-release org and publish as soon as a user-facing feature is available, including dependency updates

[travi]

from a testing perspective, https://www.npmjs.com/org/form8ion has 87 packages that are often published more often than our official semantic-release packages, so it could be helpful to also include that org so we could evaluate semantic-release changes on active packages before a stable release

[travi]

🚀 Suggest additional platforms you'd like to see supported

out of curiosity, is supporting OIDC for other registries, like Artifactory, part of the plan?