Fix Trusted Publishing via OIDC (#777)

Author: WillsB3

source/cli-implementation.js

@@ -10,6 +10,7 @@ import config from './config.js';
 import * as util from './util.js';
 import * as git from './git-util.js';
 import * as npm from './npm/util.js';
+import {getOidcProvider} from './npm/oidc.js';
 import {SEMVER_INCREMENTS} from './version.js';
 import ui from './ui.js';
 import np from './index.js';
@@ -193,18 +194,23 @@ try {
 
 	// Check authentication early, before Listr starts (so login can be interactive)
 	if (options.runPublish) {
-		const externalRegistry = npm.isExternalRegistry(package_)
-			? package_.publishConfig.registry
-			: false;
-
-		try {
-			await npm.username({externalRegistry});
-		} catch (error) {
-			if (error.isNotLoggedIn && isInteractive()) {
-				console.log('\nYou must be logged in to publish. Running `npm login`...\n');
-				await npm.login({externalRegistry});
-			} else {
-				throw error;
+		// Skip auth check if OIDC is available (will be handled by npm publish itself)
+		if (getOidcProvider()) {
+			console.log('OIDC authentication detected - skipping auth check');
+		} else {
+			const externalRegistry = npm.isExternalRegistry(package_)
+				? package_.publishConfig.registry
+				: false;
+
+			try {
+				await npm.username({externalRegistry});
+			} catch (error) {
+				if (error.isNotLoggedIn && isInteractive()) {
+					console.log('\nYou must be logged in to publish. Running `npm login`...\n');
+					await npm.login({externalRegistry});
+				} else {
+					throw error;
+				}
 			}
 		}
 	}

source/index.js

@@ -23,6 +23,7 @@ import gitTasks from './git-tasks.js';
 import {getPackagePublishArguments, runPublish} from './npm/publish.js';
 import enable2fa, {getEnable2faArguments} from './npm/enable-2fa.js';
 import handleNpmError from './npm/handle-npm-error.js';
+import {getOidcProvider} from './npm/oidc.js';
 import releaseTaskHelper from './release-task-helper.js';
 import {findLockfile, printCommand} from './package-manager/index.js';
 import * as util from './util.js';
@@ -110,7 +111,8 @@ const np = async (input = 'patch', {packageManager, ...options}, {package_, root
 		}
 	}, {wait: 2000});
 
-	const shouldEnable2FA = options['2fa'] && options.availability.isAvailable && !options.availability.isUnknown && !package_.private && !npm.isExternalRegistry(package_);
+	// Don't enable 2FA when using OIDC (Trusted Publishing) as it's already managed
+	const shouldEnable2FA = options['2fa'] && options.availability.isAvailable && !options.availability.isUnknown && !package_.private && !npm.isExternalRegistry(package_) && !getOidcProvider();
 
 	// To prevent the process from hanging due to watch mode (e.g. when running `vitest`)
 	const ciEnvOptions = {env: {CI: 'true'}};

test/index.js

@@ -129,6 +129,42 @@ test('skip enabling 2FA if the `2fa` option is false', async t => {
 	t.true(enable2faStub.notCalled);
 });
 
+test('skip enabling 2FA in trusted publishing (OIDC) contexts', async t => {
+	const enable2faStub = sinon.stub();
+
+	/** @type {typeof np} */
+	const npMock = await esmock('../source/index.js', {
+		del: {deleteAsync: sinon.stub()},
+		execa: {execa: sinon.stub().returns(fakeExecaReturn())},
+		'../source/prerequisite-tasks.js': sinon.stub(),
+		'../source/git-tasks.js': sinon.stub(),
+		'../source/git-util.js': {
+			hasUpstream: sinon.stub().returns(true),
+			pushGraceful: sinon.stub(),
+			verifyWorkingTreeIsClean: sinon.stub(),
+		},
+		'../source/npm/enable-2fa.js': enable2faStub,
+		'../source/npm/publish.js': {
+			getPackagePublishArguments: sinon.stub().returns([]),
+			runPublish: sinon.stub().returns(fakeObservableReturn()),
+		},
+		'../source/npm/oidc.js': {
+			getOidcProvider: () => 'github',
+		},
+	});
+
+	await t.notThrowsAsync(npMock('1.0.0', {
+		...defaultOptions,
+		availability: {
+			isAvailable: true,
+			isUnknown: false,
+		},
+		'2fa': true,
+	}, npPackageResult));
+
+	t.true(enable2faStub.notCalled);
+});
+
 test('rollback is called when publish fails', async t => {
 	const deleteTagStub = sinon.stub().resolves();
 	const removeLastCommitStub = sinon.stub().resolves();