From 0ba9357411d1893cf420da46bbc8384dfff9bbe3 Mon Sep 17 00:00:00 2001
From: jayree <jayree.git@icloud.com>
Date: Mon, 3 Nov 2025 19:10:17 +0100
Subject: [PATCH] feat: support token-based package publishing on npm (oidc)

---
 command-snapshot.json               | 1 +
 messages/npm.package.release.md     | 4 ++++
 src/commands/npm/package/release.ts | 5 +++++
 src/dependencies.ts                 | 2 +-
 src/repository.ts                   | 3 ++-
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/command-snapshot.json b/command-snapshot.json
index 232a3b322..5b831d418 100644
--- a/command-snapshot.json
+++ b/command-snapshot.json
@@ -153,6 +153,7 @@
       "json",
       "npmaccess",
       "npmtag",
+      "oidc",
       "prerelease",
       "sign",
       "verify"
diff --git a/messages/npm.package.release.md b/messages/npm.package.release.md
index 8f866a8cb..5cb83b677 100644
--- a/messages/npm.package.release.md
+++ b/messages/npm.package.release.md
@@ -26,6 +26,10 @@ run yarn install and build on repository
 
 given a github tag, release the version specified in the package.json as is. Useful when you've already done a release and only need npm publish features
 
+# flags.oidc.summary
+
+enable OpenID Connect (OIDC) authentication for secure, token-based package publishing on npm
+
 # flags.prerelease.summary
 
 determine the next version as <version>-<prerelease>.0 if version is not manually set
diff --git a/src/commands/npm/package/release.ts b/src/commands/npm/package/release.ts
index 25b5a3a24..710e37356 100644
--- a/src/commands/npm/package/release.ts
+++ b/src/commands/npm/package/release.ts
@@ -65,6 +65,10 @@ export default class Release extends SfCommand<ReleaseResult> {
     githubtag: Flags.string({
       summary: messages.getMessage('flags.githubtag.summary'),
     }),
+    oidc: Flags.boolean({
+      default: false,
+      summary: messages.getMessage('flags.oidc.summary'),
+    }),
   };
 
   public async run(): Promise<ReleaseResult> {
@@ -82,6 +86,7 @@ export default class Release extends SfCommand<ReleaseResult> {
     const pkg = await PackageRepo.create({
       ux: new Ux({ jsonEnabled: this.jsonEnabled() }),
       useprerelease: flags.prerelease,
+      useoidc: flags.oidc,
     });
 
     await pkg.writeNpmToken();
diff --git a/src/dependencies.ts b/src/dependencies.ts
index 60ccb0600..fa6693e5f 100644
--- a/src/dependencies.ts
+++ b/src/dependencies.ts
@@ -39,7 +39,7 @@ const DEPENDENCIES: Dependency[] = [
   {
     name: 'NPM_TOKEN',
     type: 'env',
-    condition: (flags): boolean => !flags.dryrun,
+    condition: (flags): boolean => !flags.dryrun && !flags.oidc,
   },
   {
     name: 'GH_TOKEN',
diff --git a/src/repository.ts b/src/repository.ts
index 78ad3ed5a..cfeba3e2d 100644
--- a/src/repository.ts
+++ b/src/repository.ts
@@ -37,6 +37,7 @@ type PollFunction = () => boolean;
 type RepositoryOptions = {
   ux: Ux;
   useprerelease?: string;
+  useoidc?: boolean;
 };
 
 abstract class Repository extends AsyncOptionalCreatable<RepositoryOptions> {
@@ -81,7 +82,7 @@ abstract class Repository extends AsyncOptionalCreatable<RepositoryOptions> {
 
   public async writeNpmToken(): Promise<void> {
     const home = this.env.getString('HOME') ?? os.homedir();
-    await this.registry.setNpmAuth(home);
+    if (!this.options?.useoidc) await this.registry.setNpmAuth(home);
     await this.registry.setNpmRegistry(home);
   }