Authentication/token lifecycle
npm trusted publishing GitHub Actions protected environments npm provenance environment claim mismatch
Publishing works from the default branch but fails when the job uses a protected environment.
Agent Quick Fix
Repair against the current npm registry contract, then keep the change narrow and source-backed.
Product: npm registry
Current-contract area: Trusted publishing environment claim mismatch
Likely root cause: Publishing works from the default branch but fails when the job uses a protected environment.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.Symptom
Publishing works from the default branch but fails when the job uses a protected environment.
Why This Happens
Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
npm trusted publishing GitHub Actions protected environments npm provenance environment claim mismatch
docs.npmjs.com trusted publishing GitHub Actions environment protected environment npm publish OIDC
npm trusted publishing docs GitHub Actions OIDC workflow file environment
https://docs.npmjs.com/trusted-publishers
'environment' in https://docs.npmjs.com/trusted-publishers