feat: add support for npm Trusted Publishers with NPM_ID_TOKEN

[meesvandongen]

Important

Add support for npm Trusted Publishers using NPM_ID_TOKEN, modifying .npmrc creation and updating documentation.

• New Features:
  • Support for npm Trusted Publishers using NPM_ID_TOKEN in src/main.ts.
  • Skips .npmrc creation if NPM_ID_TOKEN is detected.
  • Retains .npmrc creation with NPM_TOKEN if no .npmrc exists.
• Error Handling:
  • Improved error messages in src/main.ts for missing tokens.
• Documentation:
  • Updated README.md to include setup for Trusted Publishers and classic token flows.
  • Clarified .npmrc creation behavior in README.md.

^{This description was created by for 1e3d823. You can customize this summary. It will automatically update as commits are pushed.}

---

Summary by CodeRabbit

• New Features

  • Added support for npm Trusted Publishers via a new token, which skips .npmrc creation.
  • Preserved classic automation flow using the existing token with automatic .npmrc creation when needed.
  • Improved messaging to indicate which authentication mode and token are in use.

• Documentation

  • Expanded setup guide to cover both Trusted Publishers and classic token flows.
  • Added CI examples and clarified when .npmrc is created or not.

[changeset-bot]

🦋 Changeset detected

Latest commit: 1e3d823

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
changesets-gitlab	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

README adds two npm publish authentication methods: Trusted Publishers using NPM_ID_TOKEN and Classic Automation Token using NPM_TOKEN. Code now detects NPM_ID_TOKEN to skip .npmrc creation, falls back to NPM_TOKEN to create .npmrc, or errors if neither is present. Types and a changeset were added.

Changes

Cohort / File(s)	Summary
Docs README.md	Documented dual auth modes: Trusted Publishers (NPM_ID_TOKEN, no .npmrc) and Classic Token (NPM_TOKEN, .npmrc created when absent). Expanded CI examples and clarified default .npmrc behavior.
Auth / env handling src/main.ts	Added NPM_ID_TOKEN env support. Updated publish flow: detect NPM_ID_TOKEN to skip .npmrc; use NPM_TOKEN to create .npmrc; error if neither token nor existing .npmrc. Adjusted logs and error messages.
Types src/types.ts	Extended Env interface with optional NPM_ID_TOKEN?: string and documentation comments.
Release metadata .changeset/* .changeset/yummy-hairs-enjoy.md	Added changeset indicating a minor change to support Trusted Publishers (GitLab changesets metadata).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant CI as CI Runner
  participant Action as Publish Action
  participant Env as Environment
  participant FS as File System
  participant NPM as npm Registry

  CI->>Action: Invoke publish
  Action->>Env: Read NPM_ID_TOKEN, NPM_TOKEN
  alt Existing .npmrc present
    Action->>FS: Use existing .npmrc
    Action->>NPM: npm publish
  else No .npmrc
    alt NPM_ID_TOKEN present (Trusted Publishers)
      Note over Action: Trusted Publishers detected — skip .npmrc
      Action->>NPM: npm publish (OIDC/ID token)
    else NPM_TOKEN present (Classic)
      Action->>FS: Create .npmrc with //registry.npmjs.org/:_authToken=${NPM_TOKEN}
      Action->>NPM: npm publish
    else Neither token present
      Action-->>CI: Fail (no NPM_TOKEN/NPM_ID_TOKEN and no .npmrc)
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• JounQin

Poem

I twitch my whiskers at tokens two,
One for trust, one classic too.
If ID gleams, no rc to sow—
If not, a tiny file we grow.
Hop, publish, hop—then done—carrots for one. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly summarizes the primary change by noting support for npm Trusted Publishers with NPM_ID_TOKEN. It is concise, specific, and follows the conventional commit style by using the “feat:” prefix. The phrasing directly reflects the main feature added in this PR without extraneous detail, making it immediately clear to reviewers scanning the history. Overall, it accurately captures the intent and scope of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8321bc and 1e3d823.

📒 Files selected for processing (2)

• .changeset/yummy-hairs-enjoy.md (1 hunks)
• README.md (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​esbuild/​aix-ppc64@​0.25.2
	@​esbuild/​darwin-x64@​0.25.2
	@​esbuild/​freebsd-arm64@​0.25.2
	@​esbuild/​linux-arm64@​0.25.2
	@​esbuild/​linux-arm@​0.25.2
	@​esbuild/​linux-loong64@​0.25.2
	@​esbuild/​linux-riscv64@​0.25.2
	@​esbuild/​linux-s390x@​0.25.2
	@​esbuild/​openbsd-x64@​0.25.2
	@​esbuild/​sunos-x64@​0.25.2
	@​esbuild/​win32-ia32@​0.25.2
	@​esbuild/​win32-x64@​0.25.2
	@​esbuild/​android-arm64@​0.25.2
	@​esbuild/​darwin-arm64@​0.25.2
	@​esbuild/​freebsd-x64@​0.25.2
	@​esbuild/​linux-ia32@​0.25.2
	@​esbuild/​linux-mips64el@​0.25.2
	@​esbuild/​linux-ppc64@​0.25.2
	@​esbuild/​linux-x64@​0.25.2
	@​esbuild/​openbsd-arm64@​0.25.2
	@​esbuild/​win32-arm64@​0.25.2
	@​esbuild/​netbsd-x64@​0.25.2
	@​esbuild/​netbsd-arm64@​0.25.2
	@​rollup/​rollup-android-arm-eabi@​4.40.0
	@​rollup/​rollup-android-arm64@​4.40.0
	@​rollup/​rollup-darwin-arm64@​4.40.0
	@​rollup/​rollup-darwin-x64@​4.40.0
	@​rollup/​rollup-freebsd-arm64@​4.40.0
	@​rollup/​rollup-freebsd-x64@​4.40.0
	@​rollup/​rollup-linux-arm-gnueabihf@​4.40.0
	@​rollup/​rollup-linux-arm-musleabihf@​4.40.0
	@​rollup/​rollup-linux-arm64-gnu@​4.40.0
	@​rollup/​rollup-linux-arm64-musl@​4.40.0
See 190 more rows in the dashboard

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/changesets-gitlab@227

commit: 1e3d823

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to d8321bc in 1 minute and 1 seconds. Click for details.

• Reviewed 84 lines of code in 3 files
• Skipped 0 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. README.md:92

• Draft comment:
  Clear documentation for npm Trusted Publishers added. Consider clarifying what happens if both NPM_ID_TOKEN and NPM_TOKEN are set (i.e. that NPM_ID_TOKEN takes precedence).
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

2. src/main.ts:25

• Draft comment:
  NPM_ID_TOKEN is correctly destructured from env. Add a brief inline comment noting that if both tokens are provided, NPM_ID_TOKEN is prioritized.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

3. src/main.ts:72

• Draft comment:
  The conditional branch for .npmrc creation handles Trusted Publishers mode well. Consider logging a warning if both NPM_ID_TOKEN and NPM_TOKEN are set, to make the precedence explicit for users.
• Reason this comment was not posted:
  Confidence changes required: 50% <= threshold 50% None

4. src/types.ts:31

• Draft comment:
  Addition of the NPM_ID_TOKEN field in the Env type is clear and properly documented.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_o3nypJU0XSTncZRE

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/main.ts (1)

69-88: Consider extracting .npmrc handling to reduce cognitive complexity.

The cognitive complexity is slightly above the threshold (16 vs 15). While the code is readable, extracting the .npmrc handling logic into a separate function could improve maintainability.

Example refactor:

async function ensureNpmrc(
  npmrcPath: string,
  NPM_ID_TOKEN: string | undefined,
  NPM_TOKEN: string | undefined
): Promise<void> {
  if (fs.existsSync(npmrcPath)) {
    console.log('Found existing .npmrc file')
  } else if (NPM_ID_TOKEN) {
    console.log(
      'Detected `NPM_ID_TOKEN`; skipping `.npmrc` creation (Trusted Publishers mode).',
    )
  } else if (NPM_TOKEN) {
    console.log('No .npmrc file found, creating one with `NPM_TOKEN`')
    await fs.promises.writeFile(
      npmrcPath,
      `//registry.npmjs.org/:_authToken=${NPM_TOKEN}`,
    )
  } else {
    setFailed(
      'No `.npmrc` found and neither `NPM_TOKEN` nor `NPM_ID_TOKEN` provided, unable to publish packages',
    )
    throw new Error('No npm authentication available')
  }
}

Then in the main function:

try {
  await ensureNpmrc(npmrcPath, NPM_ID_TOKEN, NPM_TOKEN)
} catch {
  return
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eccf474 and d8321bc.

📒 Files selected for processing (3)

• README.md (2 hunks)
• src/main.ts (2 hunks)
• src/types.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/main.ts (1)

src/env.ts (2)

• env (10-33)
• GITLAB_TOKEN (24-32)

🪛 GitHub Actions: CI

src/main.ts

[error] 24-29: SonarJS cognitive complexity limit exceeded. Refactor this function to reduce cognitive complexity from 16 to ≤15.

README.md

[warning] 1-1: Unexpected GFM autolink literal, expected regular autolink; add '<' before and '>' after

🪛 GitHub Check: Lint and Test with Node.js 18

README.md

[warning] 94-94:
{"reason":"Unexpected GFM autolink literal, expected regular autolink, add < before and > after","source":"remark-lint","ruleId":"no-literal-urls","severity":1}

🪛 GitHub Check: Lint and Test with Node.js 20

README.md

[warning] 94-94:
{"reason":"Unexpected GFM autolink literal, expected regular autolink, add < before and > after","source":"remark-lint","ruleId":"no-literal-urls","severity":1}

🪛 GitHub Check: Lint and Test with Node.js 22

README.md

[warning] 94-94:
{"reason":"Unexpected GFM autolink literal, expected regular autolink, add < before and > after","source":"remark-lint","ruleId":"no-literal-urls","severity":1}

🪛 markdownlint-cli2 (0.18.1)

README.md

94-94: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (8)

src/types.ts (1)

30-32: LGTM! Clear type definition with helpful comments.

The addition of NPM_ID_TOKEN is well-documented and aligns with the implementation in main.ts where this token is used to skip .npmrc creation in Trusted Publishers mode.

src/main.ts (4)

25-25: LGTM!

Correct destructuring of the new NPM_ID_TOKEN environment variable.

---

72-76: LGTM! Correct Trusted Publishers detection.

The logic correctly detects NPM_ID_TOKEN and skips .npmrc creation, allowing npm to handle the OIDC token exchange internally.

---

78-78: LGTM! Improved log message clarity.

Explicitly mentioning NPM_TOKEN helps users understand which authentication method is being used.

---

85-85: LGTM! Clear error message.

The error message now correctly indicates both authentication options, helping users understand what's missing.

README.md (3)

92-93: LGTM! Clear documentation of authentication methods.

The documentation accurately describes both authentication approaches and provides helpful guidance for users.

Also applies to: 95-96

---

122-122: LGTM! Clear clarification of .npmrc behavior.

The note accurately explains when the .npmrc file is created in classic token mode.

---

129-129: LGTM! Helpful note about Trusted Publishers.

The note clearly explains that no .npmrc is required when using Trusted Publishers with NPM_ID_TOKEN.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 1e3d823 in 38 seconds. Click for details.

• Reviewed 95 lines of code in 4 files
• Skipped 0 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .changeset/yummy-hairs-enjoy.md:2

• Draft comment:
  Changeset file for a minor update looks good. Ensure that the minor version bump is intended.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

2. README.md:92

• Draft comment:
  The README update clearly explains both authentication methods. Consider verifying the formatting of the provided cat << EOF code block to avoid unintended whitespace in the generated .npmrc.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

3. src/main.ts:72

• Draft comment:
  The token handling logic now prioritizes NPM_ID_TOKEN over NPM_TOKEN by skipping .npmrc creation when NPM_ID_TOKEN is set. Consider adding a code comment to document that if both tokens are present, Trusted Publishers mode takes precedence.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

4. src/types.ts:29

• Draft comment:
  The addition of NPM_ID_TOKEN in the Env type is clear and aligns with the updated authentication methods.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_9lLxGRUIOmOg3VuU

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}