Migrate to npm Trusted Publishing

[AtofStryker]

Why migrate to Trusted Publishing?

As part of npm's security improvements, Cypress is migrating all GitHub Actions repositories from granular access tokens to npm Trusted Publishing (OIDC).

Benefits:

• Enhanced Security: Eliminates long-lived tokens that can be compromised, using temporary, job-specific credentials instead
• No Token Rotation: Removes the overhead of quarterly token rotation (previously required every 90 days)
• Automatic Provenance Attestation: Provides better audit trails and security transparency
• Simplified Security Model: Reduces attack surface by eliminating persistent credentials

Implementation

Update semantic-release

Update semantic-release from 24.2.3 to 25.0.1 inside the github workflow, which adds support for trusted publishing. See the release notes for details.

Configure Trusted Publishing

1. Set up npm Trusted Publishing in the npm dashboard for @cypress scope packages
2. Update the GitHub Actions workflow to use OIDC instead of NPM_TOKEN secret
3. Remove the NPM_TOKEN secret from repository settings once migration is complete

Reference

• npm Trusted Publishing documentation

Acceptance Criteria

• semantic-release updated to 25.0.1
• npm Trusted Publishing configured for this repository
• GitHub Actions workflow updated to use OIDC
• NPM_TOKEN secret removed from repository
• Successful test release using trusted publishing

[MikeMcC399]

@AtofStryker

Thanks for adding this task and for the detail you provided!

This is probably a good repo to pilot this change.

• Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
• There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see Update action to run under Node.js 24 #1519), which would be a prerequisite to update to semantic-release >=25.0.0

Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.

[AtofStryker]

@AtofStryker

Thanks for adding this task and for the detail you provided!

This is probably a good repo to pilot this change.

• Although the repo publishes to the npm registry @cypress/github-action, the code is never run from this source and so it's not essential for this to work 100%!
• There are already plans in place to update other actions, including cycjimmy/semantic-release-action to Node.js 24 (see Update action to run under Node.js 24 #1519), which would be a prerequisite to update to semantic-release >=25.0.0

Please let me know if there is any urgent need for change, otherwise I'll be submitting multiple routine PRs to move the repo forward, including release components. If you are intending to submit PRs yourself, do please allow me to review them.

@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.

[MikeMcC399]

@AtofStryker

@MikeMcC399 I am not currently planning to submit the PRs to do the trusted publishing work, mostly just file issues and prioritize. That being said, if you want to submit the PRs, please feel free as we would greatly appreciate the help (as always!). You can also tag me as a reviewer.

Thanks for the clarification! I've added myself as assignee here for the bits that I can contribute.

[MikeMcC399]

• PR ci(deps): update semantic-release to 25.0.2 #1636 is now merged and the first item on the list is done:

github-action/.github/workflows/main.yml

Lines 43 to 52 in f790eee

	- name: Semantic Release
	uses: cycjimmy/semantic-release-action@v6
	id: semantic
	with:
	# https://github.com/semantic-release/semantic-release
	semantic_version: 25.0.2
	branches: master
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

[MikeMcC399]

Examples of the release workflow log can be found using https://github.com/cypress-io/github-action/actions/workflows/main.yml?query=branch%3Amaster

https://github.com/cypress-io/github-action/actions/runs/23202088880 including the error

[@semantic-release/npm] › ℹ Verifying OIDC context for publishing from GitHub Actions
[@semantic-release/npm] › ℹ Retrieval of GitHub Actions OIDC token failed: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
[@semantic-release/npm] › ℹ Have you granted the id-token: write permission to this workflow?

The next steps need to be taken by the Cypress.io team.

Log extract

[3:28:27 PM] [semantic-release] › ℹ  Running semantic-release version 25.0.2
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/npm"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/github"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/npm"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/npm"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/github"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/npm"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/github"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "success" from "@semantic-release/github"
[3:28:27 PM] [semantic-release] › ✔  Loaded plugin "fail" from "@semantic-release/github"
[3:28:33 PM] [semantic-release] › ✔  Run automated release from branch master on repository git+https://github.com/cypress-io/github-action.git
[3:28:33 PM] [semantic-release] › ✔  Allowed to push to the Git repository
[3:28:33 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Verifying OIDC context for publishing from GitHub Actions
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Retrieval of GitHub Actions OIDC token failed: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Have you granted the `id-token: write` permission to this workflow?
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Verify authentication for registry https://registry.npmjs.org/
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Reading npm config from /home/runner/work/github-action/github-action/.npmrc
(node:2319) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
[3:28:33 PM] [semantic-release] [@semantic-release/npm] › ℹ  Wrote NPM_TOKEN to /tmp/e0223cfa66885517cd7679cf07c8d6b4/.npmrc
cypress-npm-publisher