chore: add OIDC Trusted Publisher for NPM

[MantisClone]

Problem

NPM package publishing uses long-lived tokens (NODE_AUTH_TOKEN) which pose security risks if compromised or exposed.

Solution

• Implement OIDC Trusted Publisher authentication for secure, token-less NPM publishing
• Update GitHub Actions workflow with required OIDC permissions
• Upgrade to Node 20 (Node 18 reached EOL in March 2025)
• Ensure npm 11.5.1+ for OIDC support

Considerations

• Trusted Publishers must be configured on npmjs.com for all packages
• No backward compatibility issues - workflow maintains same triggers
• Automatic provenance generation included with OIDC publishing

Summary by CodeRabbit

• Documentation

  • Updated release process documentation for clarity on authentication methods.
  • Fixed typographical errors in project documentation.

• Chores

  • Updated CI/CD pipeline with Node.js 20 and enhanced npm publishing security.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Migrates NPM publishing authentication from token-based to OIDC Trusted Publisher in GitHub Actions. Updates Node setup action from v3 to v4, upgrades Node.js version from 18 to 20, and adds npm update step. Documentation reflects these authentication changes.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Update \.github/workflows/npm-publish\.yaml	Adds id-token write and contents read permissions; upgrades setup-node from v3 to v4; updates Node.js from v18 to v20; adds npm update step; removes NODE_AUTH_TOKEN environment variable in favor of OIDC authentication.
Documentation Updates CONTRIBUTING\.md, README\.md	Updates Release Process documentation to specify OIDC Trusted Publisher authentication for NPM publishing; fixes typo "workinng" → "working" in README; clarifies authentication method in release steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

The changes are primarily configuration updates and documentation clarifications. The workflow modifications are straightforward: permission additions, action version upgrades, and environment variable removal. Documentation updates are minor and consistent. No complex logic or behavioral changes requiring deep analysis.

Possibly related PRs

• fix: npm token env var #130: Modifies NPM publish authentication in the same workflow file, introducing NODE_AUTH_TOKEN which this PR now removes in favor of OIDC.
• feat: add --next releases to the github action #179: Modifies the same npm-publish workflow with logic for stable/next publishing steps and authentication setup.
• fix: execute inside of matrix package not root #180: Modifies the npm-publish workflow to change execution per matrix packages while this PR updates auth and infrastructure settings.

Suggested reviewers

• rodrigopavezi
• aimensahnoun

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore: add OIDC Trusted Publisher for NPM" directly and clearly summarizes the primary objective of the changeset. The title accurately reflects the main change across all three modified files: implementing OIDC Trusted Publisher authentication in the GitHub Actions workflow, updating documentation to reflect this new authentication method, and fixing a minor typo. The title is concise, specific, and would allow a teammate scanning the git history to immediately understand the purpose of this changeset. While the PR includes secondary changes like upgrading Node.js to version 20 and updating npm, these are supporting changes to enable the primary objective, which the title appropriately captures.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch oidc-npm-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR transitions NPM package publishing from long-lived token authentication to OpenID Connect (OIDC) Trusted Publisher for improved security. The change eliminates the need for manually managed NODE_AUTH_TOKEN secrets by leveraging GitHub's OIDC identity tokens.

Key changes:

• Added OIDC permissions (id-token: write) to the workflow for token-less authentication
• Upgraded Node.js from version 18 to 20 and setup-node action from v3 to v4
• Removed NODE_AUTH_TOKEN secret references from publish steps

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/npm-publish.yaml	Added OIDC permissions, upgraded Node/npm versions, removed token-based authentication
README.md	Updated deployment documentation to mention OIDC authentication
CONTRIBUTING.md	Updated release documentation to clarify token-less publishing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/npm-publish.yaml (2)

38-40: npm upgrade is necessary for OIDC support.

Installing npm@latest ensures OIDC support (npm 11.5.1+), and step placement is correct. Consider pinning to a minimum version (e.g., [email protected]) for reproducibility, but @latest is pragmatic for a maintained tool.

Consider using an explicit version constraint for enhanced reproducibility:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm for OIDC support
+        run: npm install -g [email protected]

---

1-66: Verify Trusted Publishers are configured on npmjs.com.

The workflow now uses OIDC for authentication, which requires that each package in the matrix is registered as a Trusted Publisher on npmjs.com. This is an out-of-band prerequisite that must be completed before this workflow can successfully publish.

Before merging, ensure the following packages are configured as OIDC Trusted Publishers on npmjs.com:

• @requestnetwork/add-stakeholder
• @requestnetwork/create-invoice-form
• @requestnetwork/invoice-dashboard
• @requestnetwork/payment-widget
• @requestnetwork/single-invoice

Reference: npmjs.com Trusted Publishers documentation

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d7177d and a6f6e08.

📒 Files selected for processing (3)

• .github/workflows/npm-publish.yaml (2 hunks)
• CONTRIBUTING.md (1 hunks)
• README.md (1 hunks)

🔇 Additional comments (5)

CONTRIBUTING.md (1)

36-36: Documentation accurately reflects OIDC authentication change.

The update clearly communicates that OIDC Trusted Publisher is now used and that manual tokens are no longer required. This provides helpful context for contributors.

README.md (1)

91-91: Documentation updates are clear and consistent.

The release instructions now clearly specify OIDC Trusted Publisher authentication, and the typo correction improves readability. Both changes align with the workflow migration and contribute guide updates.

Also applies to: 93-93

.github/workflows/npm-publish.yaml (3)

11-13: OIDC permissions are correctly scoped.

The id-token: write permission is required for OIDC token generation, and contents: read aligns with the checkout step's requirements. Workflow-level permissions follow least-privilege principles.

---

33-33: Action and runtime versions are appropriate.

Upgrading to setup-node@v4 (current major version) and Node.js 20 is timely, especially since Node 18 reached EOL in March 2025. No compatibility concerns expected for the publish workflow.

Also applies to: 35-35

---

59-66: NODE_AUTH_TOKEN successfully removed from all publish steps.

Verification confirms that NODE_AUTH_TOKEN has been completely removed from the workflow, and OIDC permissions are correctly configured with id-token: write. The publish steps only reference VITE_WEB3MODAL_PROJECT_ID, allowing npm to automatically authenticate using OIDC tokens. The workflow is properly configured for OIDC-based package publishing.

[bassgeta]

Thanks for tackling this, changes look sensible and everything builds so we can 🚢