🚀 Coming Soon: OpenID Connect (OIDC) Support for npm Registry #161015

leobalter · 2025-05-29T18:21:01Z

leobalter
May 29, 2025
Maintainer

Hello npm community! 👋

We're excited to announce that we're bringing OpenID Connect (OIDC) authentication to the npm registry! This new feature will enable more secure, token-less authentication for publishing packages in your CI/CD workflows.

What's Coming?

OIDC support will allow you to publish npm packages from your CI/CD workflows without managing npm tokens. Your CI/CD provider's identity tokens will authenticate directly with the npm registry, providing:

🔐 Enhanced Security: No more long-lived tokens stored in your CI/CD secrets
🔄 Simplified Token Management: Automatic, short-lived authentication
🏗️ Trusted Publishing: Packages published directly from verified CI/CD workflows
🚀 Native CI/CD Integration: Seamless authentication in your existing pipelines

Initial Platform Support

At launch, we'll support package publishing from:

GitHub Actions workflows
GitLab CI/CD pipelines

We plan to expand support to additional platforms based on community feedback and demand.

Timeline

🔧 npm CLI Support: a PR with The CLI changes is ready (before the registry feature goes live)
🎯 Private Preview: June 2025 - Limited access for early testers
🌍 Public Release: July 2025 (tentative) - General availability for all users

Note: Timelines are subject to change based on testing and feedback during the private preview.

Get Involved!

We want to hear from you! This thread is your space to:

🙋 Express interest in joining the private preview
💭 Share feedback on the upcoming feature
🤔 Ask questions about OIDC implementation
🚀 Suggest additional platforms you'd like to see supported
📝 Discuss use cases for secure package publishing

Interested in the Private Preview?

If you'd like to be considered for the private preview in June, please comment below with:

Your use case for OIDC-based package publishing
Which platform you'd primarily use (GitHub Actions or GitLab)
How many packages you typically publish and how often

Stay Updated

We'll use this thread to share updates, documentation links, and gather feedback throughout the rollout. Make sure to watch this discussion to stay informed!

Looking forward to your feedback and building this together with the community! 🎉

The npm Team at GitHub

Answered by leobalter

Jul 31, 2025

Trusted publishing with OIDC is now generally available!

Huge thanks to all those who participated in the private preview and provided feedback, that helped us a lot verifying usage and working on small fixes and improvements before the public release!

View full answer

blaine-arcjet · 2025-05-30T20:10:58Z

blaine-arcjet
May 30, 2025

Super excited for OIDC support on npm! We at Arcjet would love to be part of the private preview in June.

Your use case for OIDC-based package publishing

We publish the arcjet-js SDK to npm but don't currently use CI publishing due to security concerns around long-lived tokens. We also want to add build provenance which is easiest using CI publishing.

Which platform you'd primarily use (GitHub Actions or GitLab)

GitHub Actions.

How many packages you typically publish and how often

I think we're up to 33 packages now. We generally publish once or twice per month.

1 reply

arcjet-rei May 31, 2025

Just cosigning to say that strengthening the chain of custody and also improving Arcjet's ability to automate more steps of the publishing process would be extremely useful in making it easier for us to deploy more often and with greater confidence.

travi · 2025-05-30T20:21:02Z

travi
May 30, 2025

🙋 Express interest in joining the private preview

we'd love to be involved in the preview so we can make sure semantic-release is ready for the public release.

ensure we can support folks publishing with the semantic-release npm plugin
GitHub Actions
we have 24 packages within the semantic-release org and publish as soon as a user-facing feature is available, including dependency updates

1 reply

travi May 30, 2025

from a testing perspective, https://www.npmjs.com/org/form8ion has 87 packages that are often published more often than our official semantic-release packages, so it could be helpful to also include that org so we could evaluate semantic-release changes on active packages before a stable release

travi · 2025-06-02T21:21:43Z

travi
Jun 2, 2025

🚀 Suggest additional platforms you'd like to see supported

out of curiosity, is supporting OIDC for other registries, like Artifactory, part of the plan?

1 reply

leobalter Jun 23, 2025
Maintainer Author

We don't have specific plans for other registries at this moment. It seems like most of the support for other registries could be done directly on the cli once our public PR is ready.

mxschmitt · 2025-06-23T08:36:36Z

mxschmitt
Jun 23, 2025

🙋 Yay! Express interest in joining the private preview

No need for tokens anymore / no need to refresh them. We publish our Playwright packages via NPM. Managing the tokens across different repositories is hard.
GitHub Actions
Around 20 every day

0 replies

Shegox · 2025-06-23T11:49:54Z

Shegox
Jun 23, 2025

I would be interested as well in the preview if you need additional tokens

We have a GitHub organization (SAP) and a npm organization/scope (@SAP) and different development teams with individual repositories and packages. Currently we started to centrally distribute granular npm tokens to the relevant GitHub Action Secrets using a single technical user (https://www.npmjs.com/~sap-ospo-admin). With OIDC-trust we could eliminate this token distribution and rather relay a one-time trust setup.
GitHub Actions
Currently only 7 packages with a handful of releases a month.

0 replies

spowser · 2025-07-02T19:22:31Z

spowser
Jul 2, 2025

Please add Azure DevOps to the shortlist of supported CI/CD platforms. 🙏

0 replies

tom-sherman · 2025-07-11T10:22:34Z

tom-sherman
Jul 11, 2025

Will this include using OIDC for fetching/resolving packages from the registry via OIDC? Or just publishing?

If just publishing, do you plan to support OIDC for npm i?

1 reply

This comment was marked as off-topic.

Sign in to view

dominikg · 2025-07-28T14:16:53Z

dominikg
Jul 28, 2025

How do you identify which npm package is allowed to be published by what repo (fork are not allowed to, right?)

How do you prevent malicious command injection in a workflow crafting a directory with malware and running npm publish ? (eg via dependency post-install script, third-party action, maybe as part of a second step after obtaining access to a reputable package used in lots of release processes...)

1 reply

janbrasna Jul 30, 2025

Configuring claims with the subject to be allowed: https://docs.github.com/en/actions/concepts/security/openid-connect#understanding-the-oidc-token
Publishing only allowed with id-token:write https://docs.github.com/en/actions/reference/security/oidc#workflow-permissions-for-the-requesting-the-oidc-token

SuperchupuDev · 2025-07-28T14:30:03Z

SuperchupuDev
Jul 28, 2025

This is great! Will there be a way to restrict packages so that they can only be published through OIDC? That way, even if a maintainer's npm token is compromised, an attacker won't be able to publish unauthorized package versions without write access to the repo

0 replies

leobalter · 2025-07-31T17:51:05Z

leobalter
Jul 31, 2025
Maintainer Author

Trusted publishing with OIDC is now generally available!

Huge thanks to all those who participated in the private preview and provided feedback, that helped us a lot verifying usage and working on small fixes and improvements before the public release!

0 replies

mrgrain · 2025-08-02T17:38:16Z

mrgrain
Aug 2, 2025

Nice one! Would love to get OIDC support for npm dist-tag or alternatively support for multiple --tag with npm publish.

Many packages maintain multiple tags for a release. To support this, I now still need to use an API token and they can't be scoped to dist-tag only.

0 replies

Nishikant4246 · 2025-08-09T12:39:41Z

Nishikant4246
Aug 9, 2025

Use Casee: I publish a mix of open-source and private npm packages, and managing long-lived tokens in CI/CD can be risky and tedious. OIDC’s short lived, tokenless approach would be a huge security and convenience boost for my workflows.
Platform: GitHub Actions.
Publishing Frequency: Around 5–8 packages, updated 2–3 times per month.
Really looking forward to trying this out in the private preview and sharing feedback!!

0 replies

🚀 Coming Soon: OpenID Connect (OIDC) Support for npm Registry #161015

Uh oh!

Uh oh!

leobalter May 29, 2025 Maintainer

What's Coming?

Initial Platform Support

Timeline

Get Involved!

Interested in the Private Preview?

Stay Updated

Replies: 12 comments · 5 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

leobalter Jun 23, 2025 Maintainer Author

Uh oh!

🙋 Yay! Express interest in joining the private preview

Uh oh!

Uh oh!

Uh oh!

This comment was marked as off-topic.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

leobalter Jul 31, 2025 Maintainer Author

Uh oh!

Uh oh!

leobalter
May 29, 2025
Maintainer

Replies: 12 comments 5 replies

leobalter Jun 23, 2025
Maintainer Author

leobalter
Jul 31, 2025
Maintainer Author