NPM Token Revocation: Act Now For IoBroker Adapters!

Hey guys! Big changes are coming to how you publish your ioBroker adapters to npm, and it's super important to stay ahead of the curve. This is all about NPM revoking classic tokens, so let's dive into what's happening and what you need to do.

The Big News: Classic Tokens are Going Away!

First off, NPM (that's the package manager for JavaScript, and the backbone of ioBroker adapters) is beefing up its security. You might have already gotten an email about it, but here's the gist: classic tokens, those long-lived passwords you use to publish your packages, are being phased out.

What does this mean for you? Well, if you use classic tokens in your automation, your CI/CD pipelines, or even just when you're developing locally, you need to switch to granular access tokens before early November 2025. Otherwise, you might face publishing disruptions.

Key Dates and Changes

• Early November 2025: All classic tokens will be permanently revoked. This is the critical date to keep in mind. After this date, any automation relying on these tokens will fail.
• Granular Tokens: New granular tokens are limited to a 90-day maximum lifetime (7-day default). This change is already in effect.

These changes are all about making the npm ecosystem more secure and protecting you from supply chain attacks.

Action Required: Migrate to Trusted Publishing

The good news? ioBroker already supports the recommended solution: Trusted Publishing. This approach uses GitHub Actions and OpenID Connect (OIDC) to securely publish your adapters. This means you don't need to manually manage tokens anymore. It's a much more secure and streamlined process. Let's look at how to migrate:

Setting Up npm Trust Relationship

1. Log in to npmjs.com: Make sure you are logged into your npm account that has publishing rights to your package.

2. Navigate to your Package Page: Go to your package page on npm. The URL format is https://www.npmjs.com/package/YOUR-PACKAGE-NAME. Go to the "Settings" tab.

3. Configure Trusted Publishing: Scroll down to the "Publishing access" section and select either "Automate publishing with GitHub Actions" or "Add trusted publisher". Fill in the following information:

   • Repository owner: Your GitHub username or organization (e.g., ioBroker)
   • Repository name: Your adapter repository name (e.g., ioBroker.your-adapter)
   • Workflow name: test-and-release.yml (or the name of your release workflow)
   • Environment: Leave this field blank.

   Important: Remember that all the information you enter is case-sensitive! Double-check everything!

4. Save the Configuration: Once you have entered all the information, save your configuration.

For more detailed information, consult:

• NPM Trusted Publishing Documentation
• GitHub Actions OIDC Documentation

Adapting Your test-and-release.yml Workflow

If you're using the standard test-and-release.yml workflow provided by ioBroker, you'll need to make some changes to your workflow file.

1. Open test-and-release.yml: You can edit this file directly on GitHub or in your local development environment.

2. Remove the npm-token: Locate the deploy job in your test-and-release.yml file. It should look something like this:

   # Deploys the final package to NPM
   deploy:
     needs: [check-and-lint, adapter-tests]
   
     # Trigger this step only when a commit on any branch is tagged with a version number
     if: |
       contains(github.event.head_commit.message, '[skip ci]') == false &&
       github.event_name == 'push' &&
       startsWith(github.ref, 'refs/tags/v')
   
     runs-on: ubuntu-latest
   
     # Write permissions are required to create Github releases
     permissions:
       contents: write
   
     steps:
       - uses: ioBroker/testing-action-deploy@v1
         with:
           node-version: '20.x'
           # Uncomment the following line if your adapter cannot be installed using 'npm ci'
           # install-command: 'npm install'
           build: true
           npm-token: ${{ secrets.NPM_TOKEN }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
   

   Find the line that starts with npm-token:. Then, remove this line or comment it out by adding a # at the beginning of the line.

3. Add id-token: write: Find the permissions: block. If it's not present, add it. Inside the permissions: block, add the line id-token: write. Make sure the indentation is correct to prevent YAML errors. The permissions block should look something like this:

   permissions:
     contents: write
     id-token: write
   

4. Test Your Release and Deploy Workflow: Create a test release to make sure everything works smoothly. This will confirm that your adapter can be published without needing the deprecated token.

5. (Optional) Remove the NPM_TOKEN Secret: Once you've confirmed that your workflow is working correctly, you can remove the NPM_TOKEN secret from your GitHub repository settings. It is no longer needed.

Custom or Outdated Workflows

If you're using a private, modified, or outdated test-and-release.yml workflow, here are a few recommendations:

• Consider using the Standard Workflow: Evaluate whether you can switch to the standard test-and-release.yml workflow and follow the steps above. This is generally the easiest and most supported approach.

• Use ioBroker/testing-action-deploy@v1: If you must keep a modified or private workflow, integrate the ioBroker/testing-action-deploy@v1 action into it. This will help simplify the migration.

• Follow NPM Trusted Publishing Documentation: If you are using a completely private deploy mechanism, make sure to follow the instructions in the NPM Trusted Publishing documentation. Here are some important points to keep in mind:

  • Ensure that you entered the correct workflow name when setting up Trusted Publishing.
  • Make sure you are using the newest version of npm for the deployment. Use a dedicated npm install -g npm@latest command within your workflow for updates. The npm version included in your node release might be too old.
  • Do NOT use a token or try to log in to npm in your workflow. Instead, use the npm publish command without any explicit authorization.

Help is on the Way: Automated PRs

Good news! A tool that generates pull requests (PRs) to automatically add the necessary changes to the standard test-and-release.yml workflow is in development. So, if you're using the default workflow, you might receive a PR soon that proposes the required changes. Keep an eye out for it. If you're not using the standard workflow, you won't get a PR, and you will need to follow the manual steps above.

Get Involved and Stay Updated

If you have any questions or need help, please reach out! The best place to get support is in the ioBroker development channels on Telegram or GitHub (invites are available at https://www.iobroker.dev). You can also leave a comment and mention me (@mcm1957).

Thanks a bunch to all of you for maintaining these amazing adapters. Let's keep working together to provide the best user experience possible!

Cheers,

The ioBroker Check and Service Bot