From 806111c94f4b2caa1f1d10110cfb1ec4c00b39c8 Mon Sep 17 00:00:00 2001
From: aj-bw <81774843+aj-bw@users.noreply.github.com>
Date: Mon, 15 Sep 2025 13:57:23 -0400
Subject: [PATCH] [bre-1104] update cli npm publish to use oidc (#16214)

* prep workflow for npm OIDC publishing

* add node setup step

* update environment name

* clarify job title

* npm versioning testing, will revert

* syntax

* syntax

* temporarily remove dynamic node version

* Revert build-cli.yml to main branch version

* remove husky install step

* pin npm version in setup node step

* add comment

* more clear comment to show future action needed

* formatting
---
 .github/workflows/publish-cli.yml | 40 +++++++++++--------------------
 1 file changed, 14 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml
index efb0f541d70..bef686592d4 100644
--- a/.github/workflows/publish-cli.yml
+++ b/.github/workflows/publish-cli.yml
@@ -183,6 +183,7 @@ jobs:
 
   npm:
     name: Publish NPM
+    environment: CLI - NPM
     runs-on: ubuntu-22.04
     needs: setup
     permissions:
@@ -195,23 +196,20 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Get Node version
+        id: retrieve-node-version
+        run: |
+          NODE_NVMRC=$(cat .nvmrc)
+          NODE_VERSION=${NODE_NVMRC/v/''}
+          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Set up Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "npm-api-key"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+          node-version: ${{ steps.retrieve-node-version.outputs.node_version }}
+          npm-version: "11.5.1" # FIXME: npm 11.5.1 or later is required to publish w/ OIDC; move version management to somewhere maintainable by automation
+          registry-url: "https://registry.npmjs.org/"
 
       - name: Download and set up artifact
         run: |
@@ -219,19 +217,9 @@ jobs:
           wget https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip
           unzip bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip -d build
 
-      - name: Setup NPM
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-        env:
-          NPM_TOKEN: ${{ steps.retrieve-secrets.outputs.npm-api-key }}
-
-      - name: Install Husky
-        run: npm install -g husky
-
       - name: Publish NPM
         if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: npm publish --access public --regsitry=https://registry.npmjs.org/  --userconfig=./.npmrc
+        run: npm publish --access public
 
   update-deployment:
     name: Update Deployment Status