Migrate from NPM token to OIDC authentication (v4)

[developerkunal]

Changes

This PR migrates the npm publishing workflow from static token-based authentication to OIDC (OpenID Connect) authentication for the v4 branch.

What's changing:

• Removed npm-token secret requirement from all workflows
• Added permissions: id-token: write and contents: write to the release job in npm-release.yml
• Removed NODE_AUTH_TOKEN environment variable from the npm publish step
• Set make_latest: false in release-create action to prevent v4 releases from being marked as "latest"
• Updated softprops/action-gh-release to v2.4.2 (pinned to commit hash)
• No changes to npm or yarn versions - using pre-installed npm 10.8.2 on ubuntu-latest runner

Why this is important:

• npm is deprecating long-lived authentication tokens in mid-November 2025
• OIDC provides better security through short-lived tokens automatically issued by GitHub Actions
• Eliminates need to manage and rotate NPM_TOKEN secret
• Ensures v4 releases won't be marked as "latest" (v5 should be latest)

Files changed:

• .github/workflows/npm-release.yml - Added permissions, removed npm-token secret
• .github/workflows/release.yml - Removed npm-token from secrets
• .github/actions/npm-publish/action.yml - Removed npm-token input and NODE_AUTH_TOKEN env var
• .github/actions/release-create/action.yml - Added make_latest: false, updated to v2.4.2

References

• npm OIDC Publishing Documentation: https://docs.npmjs.com/generating-provenance-statements
• GitHub Actions OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
• Companion PR for master branch: Migrate from NPM token to OIDC authentication #1249

Testing

⚠️ IMPORTANT: This uses the same npmjs.com trusted publishing configuration as the master branch

The trusted publishing configuration on npmjs.com should already be set up from PR #1249. The same OIDC setup works for both branches since they use the same workflow file (release.yml) and environment (release).

Testing approach:

• After merge, trigger a test release with an alpha version from the v4 branch
• Verify the workflow completes successfully with OIDC authentication
• Verify the release is NOT marked as "latest" on GitHub
• Check that provenance information appears on the npm package page

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors
• This change does not require new tests (workflow configuration change only)

[developerkunal]

@claude

[github-actions]

Claude finished @developerkunal's task —— View job

---

PR Review Progress

• Read PR diff
• Read project context (AGENTS.md not found, proceeding without it)
• Perform code quality review
• Perform security review
• Perform performance review
• Provide inline feedback
• Post overall assessment

---

Overall Assessment

❌ This PR has a critical configuration issue that will cause npm publish to fail. The workflow removes NODE_AUTH_TOKEN but leaves registry-url configured in actions/setup-node, which creates an .npmrc file expecting the token. When npm publish --provenance runs, it will encounter authentication failure. Remove the registry-url parameter from setup-node or explicitly handle the .npmrc file before publishing.

---

Job Run | Branch: v4-migrate-npm-oidc