NPM Token Revoked: Migrate To Trusted Publishing!

Hey guys! Let's dive into some important security updates from NPM that might affect your ioBroker packages and workflows. NPM is making some crucial changes to enhance the security of the ecosystem, and it's essential to stay ahead of the curve to avoid any disruptions. This article breaks down everything you need to know about the upcoming changes and how to migrate to Trusted Publishing.

What will happen in the very near future?

NPM is currently rolling out several security-related parameter changes. You might have already received an email from NPM outlining these updates. If not, here’s a quick summary:

NPM is making security changes, and here's what you need to know:

• October 13: New granular tokens limited to a 90-day maximum lifetime (7-day default).
• October 13: New TOTP 2FA configurations disabled (existing TOTP still works).
• Early November: All classic tokens will be permanently revoked.

The most critical part for us is the revocation of classic tokens in early November. These tokens, which have been the backbone of many automated deployment workflows, will no longer function. This means that if you're using the standard test-and-release.yml workflow with classic tokens, your automatic deployments will be disrupted. To avoid this, migrating to 'Trusted Publishing' is highly recommended. The good news is that ioBroker tools already support this!

NPM is making these changes to address recent supply chain attacks that have exploited compromised long-lived tokens. By implementing these phased security updates, NPM aims to protect the ecosystem and your packages from malicious actors. It’s all about keeping things secure for everyone!

Migration to Trusted Publishing recommended until early November 2025

The most important part for now stated within the mail is: Early November: All classic tokens will be permanently revoked

Without classic and permanently valid tokens, automatic deployment using the standard workflow test-and-release.yml will no longer work. Migration to 'Trusted Publishing' is therefore recommended and the good news is that this is already supported by ioBroker tools.

Migration to Trusted Publishing is essential for automatic deployment using the standard workflow test-and-release.yml which will stop working if you don't do it. The good news is that ioBroker tools already support Trusted Publishing so there's nothing to worry about. Trusted Publishing offers a more secure way to manage your NPM packages by linking your GitHub repository directly to your NPM account. This eliminates the need for long-lived tokens, reducing the risk of token compromise and supply chain attacks. By configuring Trusted Publishing, you ensure that only authorized workflows from your repository can publish packages to NPM. This adds an extra layer of security and control over your publishing process.

The deadline to migrate to Trusted Publishing is early November 2025, so there's time to implement the changes. But it's best not to wait until the last minute. Getting it done sooner ensures your deployments remain seamless and secure.

Actions needed for migration to "Trusted Publishing"

So, how do you migrate to Trusted Publishing? Don’t worry, it's straightforward. Here’s a step-by-step guide to get you started:

Setup npm trust relationship (independent of test-and-release workflow variant)

To initiate the migration to Trusted Publishing, you need to configure it in your NPM account. Follow these steps:

1. Log in to npmjs.com with an account that has publish rights for your package

2. Navigate to your package page:

   • Go to https://www.npmjs.com/package/YOUR-PACKAGE-NAME
   • Click on the "Settings" tab

3. Configure Trusted Publishing:

   • Scroll down to the "Publishing access" section

   • Click on "Automate publishing with GitHub Actions" or "Add trusted publisher"

   • Fill in the required information:

     • Repository owner: Your GitHub username or organization (e.g., ioBroker)
     • Repository name: Your adapter repository name (e.g., ioBroker.your-adapter)
     • Workflow name: test-and-release.yml (or the name of your release workflow)
     • Environment: Leave blank

     IMPORTANT: all information is case sensitive!

4. Save the configuration

For more information, see:

• NPM Trusted Publishing documentation
• GitHub Actions OIDC documentation

Setting up the npm trust relationship is crucial for Trusted Publishing. This involves linking your NPM account with your GitHub repository, ensuring that only authorized workflows can publish packages. By configuring the repository owner, name, workflow, and environment details in your NPM settings, you establish a secure connection between your code repository and your NPM account. This process is independent of the specific test-and-release workflow you use, making it a foundational step for all ioBroker adapter developers. Make sure to follow the instructions to configure Trusted Publishing. This step ensures that only authorized workflows from your repository can publish packages to NPM. It adds an extra layer of security and control to your publishing process, minimizing the risk of unauthorized or malicious deployments.

Actions for repositories using up-to-date test-and-release workflow using iobroker/action-testing-deploy

If you're using the standard test-and-release workflow with the iobroker/action-testing-deploy action, here’s how to adapt your workflow file:

You must adapt your workflow file test-and-release.yml.

1. Open test-and-release.yml to edit this file either directly at github.com or at your development environment

2. Remove npm-token from deploy section

   • locate job named 'deploy'. It should look like

     # Deploys the final package to NPM
    deploy:
      needs: [check-and-lint, adapter-tests]
   
      # Trigger this step only when a commit on any branch is tagged with a version number
      if: |
        contains(github.event.head_commit.message, '[skip ci]') == false &&
        github.event_name == 'push' &&
        startsWith(github.ref, 'refs/tags/v')
   
      runs-on: ubuntu-latest
   
      # Write permissions are required to create Github releases
      permissions:
        contents: write
   
      steps:
        - uses: ioBroker/testing-action-deploy@v1
          with:
            node-version: '20.x'
            # Uncomment the following line if your adapter cannot be installed using 'npm ci'
            # install-command: 'npm install'
            build: true
            npm-token: ${{ secrets.NPM_TOKEN }}
            github-token: ${{ secrets.GITHUB_TOKEN }}
   

   • locate line starting with 'npm-token:'
   • remove this line (or comment it out by adding a '#' as first char)
   • locate block starting with 'permissions:'
   • add a line 'id-token: write'. Take care of correct indentation to avoid creating an invalid yaml file. If the block is missing altogether please add it including 'contents: write' line as shown in example.

3. Test release and deploy workflow Test functionality by creating a test release.

4. Remove the NPM_TOKEN secret from your GitHub repository settings (optional, after confirming everything works)

Removing the npm-token from the deploy section is a critical step in migrating to Trusted Publishing. This ensures that your workflow no longer relies on classic tokens, which are being revoked by NPM. Locate the 'deploy' job in your test-and-release.yml file and remove the line starting with npm-token:. Additionally, add the line id-token: write under the permissions: block. This configures the workflow to use GitHub's OIDC (OpenID Connect) tokens for authentication, which are more secure and short-lived. Testing the release and deploy workflow after these changes is essential. Create a test release to confirm that everything works as expected. This helps identify any potential issues before they impact your production deployments. Once you've confirmed that the workflow is functioning correctly, you can optionally remove the NPM_TOKEN secret from your GitHub repository settings. This further reduces the risk of token compromise.

Actions for repositories using private, modified or outdated test-and-release.yml workflow

If your repository is not yet using the standard test-and-release workflow the following steps are recommended:

• Evaluate to use standard test-and-release workflow and process as described previously.
• If you must keep a modified / private test-and-release workflow consider at least using action ioBroker/testing-action-deploy@v1 within your workflow. You can then follow the migration guide described previously
• If you really must use a private deploy mechanism follow the steps described at NPM Trusted Publishing documentation. The following points are important:
  • ensure that you entered the correct workflow name when setting up 'Trusted Publishing'
  • ensure that you really use the newest npm release to process the deploy. Use a dedicated 'npm install -g npm@latest' command for update within your workflow. npm packaged within your node release might be too old. Add the npm upgrade near the deploy command - do not update npm for the complete workflow as this might cause negative side effects.
  • do NOT use a token or try to login to npm. Use the 'npm publish' without dedicated authorization.

For those maintaining private, modified, or outdated workflows, it’s crucial to assess your options. Consider switching to the standard test-and-release workflow to streamline the migration process. If you need to stick with a modified workflow, integrate the ioBroker/testing-action-deploy@v1 action to leverage its Trusted Publishing capabilities. If you must use a completely private deploy mechanism, carefully follow the NPM Trusted Publishing documentation. Key considerations include ensuring the correct workflow name is configured in your NPM settings, using the latest NPM release for deployment, and avoiding the use of tokens or login attempts during the publishing process. By adhering to these guidelines, you can ensure a secure and seamless transition to Trusted Publishing, regardless of your workflow setup.

Upcoming PR for repositories using standard test-and-release.yml workflow

A tool to generate a PR adding the required changes to the standard test-and-release workflow is under development. So you might wait some more days to receive a PR proposing the required changes to test-and-release.yml. Note that you will not receive a PR if you are not using the default / standard workflow. The PR is expected within the next week.

To make things even easier, a tool is in development to generate a Pull Request (PR) that automatically adds the necessary changes to the standard test-and-release workflow. Keep an eye out for this PR in your repository. Note that this automated PR will only be available if you're using the default workflow. If you're using a custom workflow, you'll need to make the changes manually following the steps outlined above.

If you have any questions please contact us - best at our development channels at Telegram / Github (invites available at https://www.iobroker.dev) or by dropping a comment and mentioning me (@mcm1957).

THANKS A LOT for maintaining this adapter from me and all users. Let's work together for the best user experience.

your ioBroker Check and Service Bot

By following these steps, you'll ensure that your ioBroker adapter deployments remain secure and uninterrupted. Embrace Trusted Publishing, and let's keep the ioBroker ecosystem safe and sound! Remember to reach out if you have any questions or need further assistance.