NPM Token Revocation: Migrate To Trusted Publishing

Hey guys! Big changes are coming to how we handle things with NPM (Node Package Manager), and I wanted to give you a heads-up, especially if you're into ioBroker. Basically, NPM is revoking what they call "classic tokens," and you'll need to update your workflows to keep things running smoothly. This is all about making things more secure, which is awesome, but it does mean a bit of work for us.

The Lowdown: What's Happening?

So, NPM sent out an email outlining these changes. Let's break it down, shall we? They're making a bunch of security improvements in phases. Here's the key stuff:

• October 13th: They rolled out new granular tokens with a 90-day maximum lifetime (7-day default). This means shorter-lived tokens for added security.
• October 13th: They disabled new TOTP (Time-Based One-Time Password) 2FA configurations. If you already had it set up, it's still working.
• Early November: This is the big one: All classic tokens will be permanently revoked.

Why are they doing this? Well, it's all about beefing up security. They've seen some supply chain attacks where hackers got hold of long-lived tokens, which let them mess with packages. This phased approach is designed to protect the NPM ecosystem and your packages from any bad guys.

Action Time: What You Need to Do

The most important thing is that classic tokens are going away in early November. If you're using these in any kind of automated setup, like your CI/CD pipelines (that's Continuous Integration and Continuous Deployment, for you newbies), or even just local development, you've got to switch to something new. The recommended solution? Trusted Publishing. The good news is that the ioBroker tools already support this. Phew!

Migrating to Trusted Publishing: A Step-by-Step Guide

Alright, let's get you set up with Trusted Publishing. It's a bit of a process, but don't worry, it's totally manageable. Here's what you need to do:

Setting Up the npm Trust Relationship

First, you need to configure things in your NPM account. This part is separate from your test-and-release workflow. Here's how to do it:

1. Log in to npmjs.com with the account that has permission to publish your package.
2. Go to your package page: For example, if your package is called ioBroker.my-adapter, go to https://www.npmjs.com/package/ioBroker.my-adapter. Then, click the "Settings" tab.
3. Configure Trusted Publishing: Scroll down to the "Publishing access" section and select "Automate publishing with GitHub Actions" or "Add trusted publisher". Fill in the following fields:
   • Repository owner: Your GitHub username or organization (e.g., ioBroker).
   • Repository name: The name of your adapter repository (e.g., ioBroker.my-adapter).
   • Workflow name: test-and-release.yml (or whatever your release workflow is named).
   • Environment: Leave this blank.
4. Save the configuration!

For more details, check out the NPM Trusted Publishing documentation and the GitHub Actions OIDC documentation.

Adapting Your test-and-release.yml for ioBroker/action-testing-deploy

Next, you'll need to tweak your test-and-release.yml file. This is the file that controls your deployment workflow. Here's how to do it:

1. Open test-and-release.yml: Edit the file directly on GitHub or in your development environment.

2. Remove the npm-token: Find the job called deploy. It should look something like this:

   # Deploys the final package to NPM
   deploy:
     needs: [check-and-lint, adapter-tests]
   
     # Trigger this step only when a commit on any branch is tagged with a version number
     if: |
       contains(github.event.head_commit.message, '[skip ci]') == false &&
       github.event_name == 'push' &&
       startsWith(github.ref, 'refs/tags/v')
   
     runs-on: ubuntu-latest
   
     # Write permissions are required to create Github releases
     permissions:
       contents: write
   
     steps:
       - uses: ioBroker/testing-action-deploy@v1
         with:
           node-version: '20.x'
           # Uncomment the following line if your adapter cannot be installed using 'npm ci'
           # install-command: 'npm install'
           build: true
           npm-token: ${{ secrets.NPM_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
   

   Locate the line that starts with npm-token:. Remove this line, or comment it out by adding # at the beginning of the line.

3. Add id-token: write: Within the permissions: block, add the line id-token: write. Make sure the indentation is correct! If the permissions: block is missing, add it, including the contents: write line.

4. Test and Release: Test your new release workflow.

5. Remove the NPM_TOKEN secret: (Optional) After you've confirmed everything is working, you can remove the NPM_TOKEN secret from your GitHub repository settings. Nice!

For Modified or Private Workflows

If you're using a modified, private, or outdated test-and-release.yml workflow, here's what to consider:

• Consider using the standard workflow: Evaluate if you can switch to the standard test-and-release workflow, which is recommended.
• Use ioBroker/testing-action-deploy@v1: If you must keep a modified workflow, at least use this action within it. Then follow the migration steps.
• Private Deploy Mechanisms: If you really have a private deploy mechanism, follow the instructions in the NPM Trusted Publishing documentation. Key points:
  • Make sure you entered the correct workflow name when setting up "Trusted Publishing".
  • Use the newest npm release in your deploy process. Use a command like npm install -g npm@latest to upgrade npm within your workflow (but not for the whole workflow, to avoid potential issues). Add the npm upgrade near the deploy command.
  • Do NOT use a token or try to log in to npm. Just use npm publish without authorization.

What's Coming Next?

A PR (Pull Request) for the standard test-and-release.yml workflow is in the works!

There's a tool in development that will automatically generate a PR with the required changes for the standard test-and-release.yml workflow. This means if you are using the default workflow, you might get a PR soon with the changes already done for you! Just wait for that.

Need Help?

If you have any questions, don't hesitate to reach out! The best places to get in touch are our development channels on Telegram and GitHub (invites are available at https://www.iobroker.dev). You can also leave a comment and mention me (@mcm1957).

A huge thanks to everyone maintaining their adapters! Let's keep working together to give users the best possible experience.

Cheers,

Your ioBroker Check and Service Bot