rusackas opened a new pull request, #41207:
URL: https://github.com/apache/superset/pull/41207
### SUMMARY
Replaces the long-lived `NPM_TOKEN` used to publish
`@superset-ui/embedded-sdk` with **npm trusted publishing (OIDC)**.
**Why:** The *Embedded SDK Release* job failed on every push to `master`
after #40991 bumped the SDK to `0.4.0`. Root cause wasn't code — the publish
credential had gone stale. Because the version sat at `0.3.0` (already on npm),
`release-if-necessary.js` always took the "version already exists, exiting"
path and the publish step hadn't actually run since November 2025. The bump
forced it to run, and it failed. A fresh token fixes it today but rearms the
same time bomb.
OIDC removes the token entirely: each publish mints a short-lived,
workflow-scoped credential, so there's nothing to expire, rotate, or leak — and
npm provenance is enabled automatically.
### CHANGES
- Add `id-token: write` to the build job (required for the OIDC exchange).
- Drop `NODE_AUTH_TOKEN` from the publish step.
- Remove the `config` job that gated on the `NPM_TOKEN` secret existing —
under OIDC there is no secret, so that gate would make the job skip forever.
Replaced with `if: github.repository == 'apache/superset'`, which preserves the
original "don't publish from forks" intent.
- Add `npm install -g npm@latest` to guarantee npm ≥ 11.5.1
(trusted-publishing requirement). The pinned Node (`.nvmrc` = v24.16.0) already
satisfies the Node ≥ 22.14.0 requirement.
### ⚠️ PREREQUISITE — must be done before merge (draft until then)
A package admin must configure the Trusted Publisher on npmjs.com first, or
publishing will break:
- [ ] On npmjs.com → `@superset-ui/embedded-sdk` → Settings → **Trusted
Publisher** → GitHub Actions
- Repository: `apache/superset`
- Workflow: `embedded-sdk-release.yml`
- [ ] Merge this PR
- [ ] Delete the now-unused `NPM_TOKEN` repo secret
(The "package must already exist" precondition for trusted publishing is
satisfied — `0.3.0` is published.)
### TESTING INSTRUCTIONS
After the Trusted Publisher is configured and this merges, the next push to
`master` should publish the current SDK version (with provenance) and the job
should go green. No token is referenced anywhere in the workflow.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
