Migrate NPM publishing to use trusted publishing instead of classic tokens

[acalcutt]

NPM has sunset classic tokens as of December 9, 2025. This updates the release workflow to use OIDC-based trusted publishing instead. This could also help with our issue keeping the token up to date.

Changes

Workflow permissions

• Added id-token: write permission for OIDC token generation
• Moved contents: write to top-level permissions

NPM authentication

• Removed manual token management (npm config set and NPM_TOKEN env vars)
• Added registry-url: 'https://registry.npmjs.org' to setup-node action
• Simplified publish commands to use automatic OIDC authentication

Package configuration

• Updated package.json repository URL from git:// to HTTPS format (required for trusted publishing)

Prerequisites for deployment

Before this workflow can be used, the NPM package must be configured for trusted publishing:

1. Go to https://www.npmjs.com/package/@mapbox/node-pre-gyp/access
2. Navigate to the "Publishing" section
3. Configure trusted publishing with GitHub Actions
4. Add mapbox/node-pre-gyp repository and release.yml workflow as trusted sources

The workflow will then automatically receive and use OIDC tokens from GitHub Actions.

Benefits

• Enhanced security: No more storing long-lived tokens as secrets
• Automatic token management: GitHub Actions generates short-lived tokens automatically
• Compliance: Aligns with npm's new authentication requirements

References

• NPM announcement: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
• Similar migration: Migrate NPM publishing to trusted publishing (OIDC) maptiler/tileserver-gl#1872

Fixes #928

[lukekarrys]

@acalcutt Do you know of someone to ping to get the npm changes sorted? I wasn't involed with #907 but I'm assuming someone was able to create a token that unblocked releasing 2.0.2 and 2.0.3. It would be great to get this moved to OIDC since the recent npm token changes might have already revoked the current token.

[acalcutt]

Maybe @rafaykh90 could help set up the since they had the permissions to publish. Someone with the rights needs to add the trusted publisher in npm settings. On my test package I set it up like this

I think here we could also limit it to the main environment

[rafaykh90]

@acalcutt I don't have the permissions to approve external contributors, as it need to go through the Security team. For now, I have updated the NPM token in the CI to publish new package version. Unfortunately, now token are valid upto 90 days only so it needs to be rotated again after that. Until the security team's review, we would have to work with that.

Would it be possible to verify that the package is being published through the CI now?

[acalcutt]

If we want to test the existing release workflow with the updated npm key, the version would need to be bumped. it only publishes when the version does not exist on npm. Basically following https://github.com/mapbox/node-pre-gyp/blob/master/RELEASE.md

I could make a PR to bump to a prerelease to test if you wanted

[rafaykh90]

@acalcutt Feel free to do so. I just want to make sure that the CI is fixed for now and we are unblocked.

[cclauss]

• Release 2.0.4-pre.0 #931

[acalcutt]

Looks like the current workflow is working with the new NPM key

https://github.com/mapbox/node-pre-gyp/actions/runs/20364041908
https://github.com/mapbox/node-pre-gyp/releases/tag/v2.0.4-pre.0
https://www.npmjs.com/package/@mapbox/node-pre-gyp/v/2.0.4-pre.0

But i'd say keep this PR incase we get someone from mapbox who can add the npm permissions for trusted publisher

[lukekarrys]

I've approved the PR since the workflow looks good to me. But as @acalcutt said we should not
merge this and leave it open since Trusted Publishing would be better in this case. Hopefully we can get that turned on.