Switch to OIDC Trusted Publishers for npm publish by Moser-ss · Pull Request #733 · pipedrive/client-nodejs

Moser-ss · 2026-05-21T21:10:41Z

Switch npm publishing from token-based auth to OIDC Trusted Publishers.

Add use_trusted_publisher: true to reusable workflow call
Add permissions block (id-token: write, contents: write) for OIDC token issuance
No NPM_PUBLIC_PUBLISH_TOKEN secret needed after npmjs.org Trusted Publisher is configured

Manual steps still required before E2E:

Verify client-nodejs is in Pipedrive Public GHA Bot's repo access list
Verify PD_PUBLIC_GHA_BOT_CLIENT_ID variable is available
Add Trusted Publisher on npmjs.com for pipedrive package (org: pipedrive, repo: client-nodejs, workflow: cicd_npm-publish.yml)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CICDL-258: switch to OIDC Trusted Publishers for npm publish

854ca26

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Moser-ss requested a review from a team as a code owner May 21, 2026 21:10

Moser-ss added the npm-version-minor used for deployment label May 21, 2026

siirimangus approved these changes May 22, 2026

View reviewed changes

evenluiv approved these changes May 22, 2026

View reviewed changes

Moser-ss added the npm-ready-for-publish used for deployment label May 22, 2026

pipedrive-public-gha-bot Bot pushed a commit that referenced this pull request May 22, 2026

Release v33.1.0 from PR #733

53a16e4

pipedrive-public-gha-bot Bot merged commit 854ca26 into master May 22, 2026
8 checks passed

pipedrive-public-gha-bot Bot deleted the CICDL-258-oidc-trusted-publishers branch May 22, 2026 10:27

Provide feedback