chore: update oddish-action to OIDC, bump actions to v6 (node24)#394
Open
decentraland-bot wants to merge 5 commits into
Open
chore: update oddish-action to OIDC, bump actions to v6 (node24)#394decentraland-bot wants to merge 5 commits into
decentraland-bot wants to merge 5 commits into
Conversation
Update oddish-action to the version supporting npm Trusted Publishing (OIDC auth) and remove NODE_AUTH_TOKEN. The old action version writes _authToken to .npmrc which prevents npm from using OIDC-based Trusted Publishing, causing E404 errors after npm invalidated granular tokens that bypass 2FA. Reference: decentraland/oddish-action#10 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GitHub Actions runner ships npm 10.9.8 which does not support tokenless Trusted Publishing. npm 11 is required for OIDC auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This reverts commit 2a7c48b.
- Bump actions/checkout and actions/setup-node to v6 (node24 runtime, replacing the node20 runtime being phased out) - Fix package.json repository field for npm provenance verification where applicable Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
decentraland-bot
changed the title
Empty env: mappings are invalid GitHub Actions YAML, causing "Unexpected value ''" workflow validation errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oddish-actionpin from914e7c5(pre-OIDC) to0074f2d(OIDC/Trusted Publishing support)NODE_AUTH_TOKENenv — the new action auto-detects OIDC viaACTIONS_ID_TOKEN_REQUEST_URLand uses Trusted Publishing automaticallyactions/checkoutandactions/setup-nodeto v6 (node24 runtime, replacing node20 being phased out)package.jsonrepositoryfield for npm provenance verification (where applicable)Context
npm invalidated granular tokens that bypass 2FA. The old
oddish-actionversion always writes_authTokento.npmrcusing the now-invalid token, causing E404/ENEEDAUTH errors. The new version detects OIDC availability and uses Trusted Publishing instead.Validated on
decentraland/protocol— PRs #416 and #417 merged, publish job succeeded.Test plan
🤖 Generated with Claude Code