Authentication/token lifecycle
npm trusted publishing workflow file name OIDC subject workflow rename subject mismatch
The registry rejects a provenance publish from a newly renamed workflow despite valid GitHub OIDC.
Agent Quick Fix
Repair against the current npm registry contract, then keep the change narrow and source-backed.
Product: npm registry
Current-contract area: Trusted publishing OIDC subject mismatch
Likely root cause: The registry rejects a provenance publish from a newly renamed workflow despite valid GitHub OIDC.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.Symptom
The registry rejects a provenance publish from a newly renamed workflow despite valid GitHub OIDC.
Why This Happens
Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
npm trusted publishing workflow file name OIDC subject workflow rename subject mismatch
site:docs.npmjs.com trusted publishing workflow filename npm
npm trusted publishing provenance OIDC subject file workflow
https://docs.npmjs.com/trusted-publishers