🔧 [PB-1278] Fix OIDC authentication - remove registry-url conflict

[crisap94]

Summary

Fixes OIDC authentication by removing registry-url from setup-node to avoid NODE_AUTH_TOKEN conflict.

Problem

Previous attempts failed because:

1. Using pnpm publish → pnpm doesn't support OIDC ❌
2. Adding registry-url → setup-node sets NODE_AUTH_TOKEN which conflicts with OIDC ❌

Root Cause

When registry-url is configured in setup-node:

• ✅ Creates .npmrc automatically
• ❌ Sets NODE_AUTH_TOKEN environment variable
• ❌ npm tries token-based auth instead of OIDC
• ❌ Token is invalid → Error 404

Solution - Option 1 (Simple)

Don't use registry-url - npm CLI detects OIDC automatically:

- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: 22
    cache: 'pnpm'
    # ✅ No registry-url to avoid NODE_AUTH_TOKEN

- name: Publish to NPM
  run: npm publish --access public --tag latest --provenance
  # ✅ npm CLI uses OIDC automatically with id-token: write

How It Works

1. GitHub Actions generates OIDC token (id-token: write permission)
2. npm CLI detects OIDC environment automatically
3. npm exchanges OIDC token for npm credentials
4. Publishes with automatic provenance attestation

Changes Made

File: .github/workflows/deploy.yml

1. Removed registry-url from setup-node (avoids NODE_AUTH_TOKEN conflict)
2. Using npm publish instead of pnpm publish (OIDC support)
3. Added --provenance flag (cryptographic attestation)

Configuration Summary

• ✅ id-token: write permission
• ✅ environment: npm-production (matches npm Trusted Publisher)
• ✅ npm publish --provenance
• ✅ npm CLI v11.5.1+ (auto-detected in runner)
• ❌ NO registry-url (to avoid NODE_AUTH_TOKEN)
• ❌ NO manual token configuration

Why This Approach

According to npm community discussions and testing:

• Option 1 (no registry-url): Simpler, npm detects OIDC automatically
• Option 2 (with registry-url): Requires clearing NODE_AUTH_TOKEN manually

We chose Option 1 for simplicity and fewer potential conflicts.

Verification

npm Trusted Publisher configuration verified:

• Organization: ubidots ✅
• Repository: react-html-canvas ✅
• Workflow: deploy.yml ✅
• Environment: npm-production ✅

References

• npm Trusted Publishers docs
• NPM OIDC GitHub discussion
• OIDC conflict with NODE_AUTH_TOKEN
• setup-node advanced usage

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified the GitHub Actions deploy workflow by removing the registry-url option from the Node.js setup step and adding the --provenance flag to the npm publish command for enhanced package provenance tracking.

Changes

Cohort / File(s)	Summary
GitHub Actions Configuration .github/workflows/deploy.yml	Removed registry-url option from Node.js setup step; added --provenance flag to npm publish command for provenance data inclusion

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow refined with a hop and a bound,
Registry URLs fade without a sound,
Provenance flags now shine bright and clear,
Our packages traced from far and near! ✨

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Free

📥 Commits

Reviewing files that changed from the base of the PR and between a095b8b and 6e2ea64.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 PR Quality Check Summary

Check	Status
Code Quality & Tests	✅ success
Security Audit	✅ success

📋 Checks Performed:

• ✅ TypeScript compilation
• ✅ ESLint code quality
• ✅ Prettier code formatting
• ✅ Unit tests with coverage (80%+ required)
• ✅ Build verification
• ✅ Security audit

🎉 All checks passed! This PR is ready for review.