Add OIDC trusted publishing + staged npm releases via GitHub Actions

[patocallaghan]

Why?

Moves npm publishing onto short-lived, per-run OIDC credentials with a human approval step, removing the need for a stored long-lived npm token.

How?

Adds a release-triggered GitHub Actions workflow that authenticates to npm via OIDC (no token) and uses npm's staged publishing, so each release is queued for a maintainer to approve before it goes live.

_{Generated with Claude Code}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​actions/​checkout@​de0fac2e4500dabe0009e67214ff5f5447ce83dd

View full report

[imSzukala]

Review

Ported the RN OIDC staged-publishing workflow (intercom/intercom-react-native#360) faithfully on the security scaffolding — SHA-pinned actions, env-var indirection for the release tag, least-privilege id-token: write on the publish job only, ancestry gate, concurrency, and staged publish all look good. But there are two blockers stemming from the fact that this repo's layout differs from the RN repo.

🔴 Blocker 1 — Workflow runs from repo root, but there is no root package.json

The publishable package (cordova-plugin-intercom) lives in intercom-plugin/; there is no root package.json. So:

• verify → node -p "require('./package.json').version" fails immediately.
• stage-publish → npm stage publish from root has no package to publish.

Both the version assert and the publish step need to run inside intercom-plugin/ (e.g. working-directory: ./intercom-plugin, and read ./intercom-plugin/package.json). RN's package is at the repo root, so it didn't need this — this is exactly the "editable region" the CAVEAT header flags as unresolved. As written the workflow cannot succeed.

🔴 Blocker 2 — The CircleCI publish job is not removed → double publish

circle.yml is untouched, and its publish job fires on any tag matching /[0-9]+(\.[0-9]+)+/. Publishing a GitHub Release creates that tag, so the existing CircleCI token-based publish and the new GH Actions OIDC publish both fire on every release — they race on the dist-tag, and it defeats the purpose of removing the stored NPM_TOKEN.

RN's PR deleted its release-to-npm job and its workflow wiring from CircleCI. This PR needs to remove the publish job + its workflow entry from circle.yml.

🟠 Issue 3 — Missing TOCTOU / tag-mutability hardening that RN added

RN's final commit (6d565ef) had validate emit the resolved, ancestry-checked SHA and had downstream jobs check out that SHA rather than re-resolving the mutable tag. Here, stage-publish does a fresh checkout with no ref:, re-resolving the tag independently of what verify validated — the window RN deliberately closed. Suggest mirroring RN: have verify output sha, and stage-publish check out ${{ needs.verify.outputs.sha }}.

🟡 Minor

• No build/test job — acceptable here. The plugin ships source as-is, has no prepare/build script (package.json has no scripts), matching the old CircleCI behaviour (npm publish only). RN needed lint/ts/test/build; Cordova legitimately doesn't.
• Prerelease dist-tag is next vs RN's beta — fine if intentional.
• OIDC trusted-publisher config on npmjs.org must target workflow filename publish.yml and the intercom-plugin package (operational prerequisite, not in the diff).
• The large CAVEAT header should be resolved and removed before merge rather than shipped — its presence signals the workflow is still a template.

Bottom line

Not mergeable as-is. Fix the two blockers — (1) wire every package step to intercom-plugin/, and (2) delete the CircleCI publish job so releases don't publish twice — and ideally fold in RN's SHA-pinning between jobs.

~ Automated via Claude

[patocallaghan]

@imSzukala Thanks for the review. I've updated per your feedback 🙇‍♂️