Failure to publish via OIDC when using readonly token for private package install

[pyoor]

I have a private package which depends on other private packages. I'm attempting to use semantic-release to publish that package but it appears that the read only token that I provide in order to install other private dependencies is conflicting with the OIDC token. What's the correct way to proceed here?

  # ci.yaml
  release:
    # Only run on push to main, not on PRs
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [ lint, test ]
    runs-on: ubuntu-latest
    
    permissions:
      contents: write # to be able to publish a GitHub release
      issues: write # to be able to comment on released issues
      pull-requests: write # to be able to comment on released pull requests
      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
    
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_READ_TOKEN }}
      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: npx semantic-release

Output from gh-actions:

npx semantic-release
...
[11:48:46 PM] [semantic-release] › ✔  Allowed to push to the Git repository
[11:48:46 PM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
[11:48:46 PM] [semantic-release] [@semantic-release/npm] › ℹ  Verifying OIDC context for publishing from GitHub Actions
[11:48:47 PM] [semantic-release] [@semantic-release/npm] › ℹ  OIDC token exchange with the npm registry succeeded
...
[11:48:48 PM] [semantic-release] › ✔  Completed step "prepare" of plugin "@semantic-release/npm"
[11:48:49 PM] [semantic-release] › ✔  Created tag v9.0.1
[11:48:49 PM] [semantic-release] › ℹ  Start step "publish" of plugin "@semantic-release/npm"
[11:48:49 PM] [semantic-release] [@semantic-release/npm] › ℹ  Publishing version 9.0.1 to npm registry on dist-tag latest
...
npm notice total files: 25
npm notice
npm error code ENEEDAUTH

[uliboss]

I have literally the same problem as described, but with Gitlab CI/CD OIDC configuration.

[risantos]

Likely related to the used Node version, as OIDC support was added with NPM v11.5.1 See:

• https://github.com/npm/cli/releases/tag/v11.5.0
• https://github.com/npm/cli/releases/tag/v11.5.1

That's available from Node v24. nodejs/node#59257
So I'd recommend setting node-version to 24 instead of 22.

[pyoor]

I modified the action to use node 24 and the result is the same:

  node: v24.12.0
  npm: 11.6.2
  yarn: 1.22.22

[pyoor]

Apologies - it looks like my earlier tests were still on the @semantic-release/npm 12.x branch. Updating to 13.1.3 works.