DEV Community

Ghislain B.
Ghislain B.

Posted on

OIDC Trusted Publishing with Lerna-Lite

#lerna #lernalite #npm

This article is a follow-up of a previous article that I wrote couple years ago: How to publish on npm with --provenance using Lerna-Lite

You can now use OIDC Trusted Publishing to publish your packages to NPM, this process is described on the NPM blog as:

https://docs.npmjs.com/trusted-publishers

Trusted Publishing with OpenID Connect (OIDC) for all users, marking a significant milestone for JavaScript supply chain security. This authentication method eliminates the need for long-lived tokens in CI/CD workflows, replacing them with short-lived, cryptographically-secured credentials that reduce the attack surface for package publishing.

Also note that this process will also publish with Provenance out of the box.

provenance data gives consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it

What is Lerna-Lite?

From Lerna's website, it is described as

Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.

Lerna-Lite is a lighter version of Lerna (every commands are optional in Lerna-Lite) as opposed to Lerna which is a "all-in-one" tool. Another difference is that the newest Lerna version has Nx as a dependency, but on the other hand Lerna-Lite does not require neither use Nx.

What you will need

  1. Go to each of your NPM monorepo packages and add a Trusted Publisher via the "Settings" (currently supported publishers are "GitHub Actions" and "GitLab CI/CD"
  2. Take a look at the "Publishing Access", it's recommended to set it to "Require two-factor authentication and disallow tokens"
  3. Repeat step 1 and 2 for all your monorepo packages (hopefully in the future, NPM will bring a global setup, but for now we have to change them one-by-one)

You can see a super basic demo at this link:
https://github.com/lerna-lite-test/oidc

This basic demo has the following configuration set as Trusted Publisher:

Image

Basic Usage

If you already have a Release CI Workflow, then the change is super easy, you just need to get rid of any NPM Token and/or Provenance config and that's about it, you're now good to go with OIDC

# release.yml
... 
   - name: Lerna Version 🏷️
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-      NPM_CONFIG_PROVENANCE: true
Enter fullscreen mode Exit fullscreen mode

Or if you want a full sample of a Release CI Workflow, then see below for a basic setup using pnpm, you can tweak it for other package managers.

.github/workflows/release.yml 
name: 🏷️ Release to NPM

on:
  workflow_dispatch:

permissions:
  contents: write
  id-token: write # required for OIDC

jobs:
  deploy-npm-latest:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Clone repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Install pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 10
          run_install: false

      - name: Set NodeJS
        uses: actions/setup-node@v5
        with:
          registry-url: 'https://registry.npmjs.org/'
          node-version: 24
          cache: 'pnpm'

      # OIDC requires npm v11.5.1 or later 
      # or simply use Node 24 to avoid running the next line
      - run: npm install -g npm@latest

      - run: node --version
      - run: npm --version

      - name: Run pnpm install dependencies
        run: pnpm install

      - name: Build Everything
        run: pnpm build

      - name: Lerna Version 🏷️
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        run: |
          git config --global user.name "${{ github.actor }}"
          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
          pnpm exec lerna version --yes

      - name: Lerna Publish 📦
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        id: lerna-publish
        continue-on-error: true
        run: |
          pnpm exec lerna publish from-package --force-publish --yes
Enter fullscreen mode Exit fullscreen mode

Provenance will also be used by default (you don't even need to enable it, it comes as default).

Conclusion

With that in place, we are now successfully publishing with Provenance with Short Lived Token using Lerna-Lite which makes our toolchain much more secure. Following these steps, you should be able to do the same with your project as well.

Also note that you can also do the exact same steps with Lerna (the actual implementation actually came from Lerna, so credit goes to them).

See Lerna-Lite@4.9.0 release for more details.

Top comments (0)