OIDC trusted publishing fails when registry URL lacks trailing slash #1066
Description
Problem
OIDC trusted publishing silently fails when publishConfig.registry in package.json is set to https://registry.npmjs.org (without trailing slash), because oidc-context.js uses strict equality comparison:
// lib/trusted-publishing/oidc-context.js
return OFFICIAL_REGISTRY === registry && !!(await exchangeToken(pkg, context));Where OFFICIAL_REGISTRY is defined as "https://registry.npmjs.org/" (with trailing slash).
Expected Behavior
The OIDC flow should be triggered regardless of whether the registry URL has a trailing slash or not. Both of these should work:
https://registry.npmjs.orghttps://registry.npmjs.org/
Actual Behavior
When publishConfig.registry is https://registry.npmjs.org (no trailing slash), the strict equality check fails, OIDC is skipped entirely, and the plugin falls back to token authentication (npm whoami), which then fails with:
npm error code E401
npm error 401 Unauthorized - GET https://registry.npmjs.org/-/whoami
No OIDC-related log messages appear (like "Verifying OIDC context for publishing from GitHub Actions"), making this very difficult to debug.
Suggested Fix
Normalize the registry URL before comparison, for example:
import normalizeUrl from "normalize-url";
export default async function oidcContextEstablished(registry, pkg, context) {
return normalizeUrl(OFFICIAL_REGISTRY) === normalizeUrl(registry) && !!(await exchangeToken(pkg, context));
}Note: normalize-url is already a dependency of this package and is used in verify-auth.js.
Environment
@semantic-release/npm: 13.1.3semantic-release: 25.0.2- Node.js: 24.x
- CI: GitHub Actions
Workaround
Add trailing slash to publishConfig.registry in package.json:
{
"publishConfig": {
"registry": "https://registry.npmjs.org/"
}
}