OIDC Trusted publishing fails with enterprise-scoped issuer

[makstech]

🏷️ Discussion Type

Bug

Body

Current Behavior

OIDC token exchange fails with 401 Unauthorized when the GitHub Enterprise has include_enterprise_slug (docs) enabled on the OIDC issuer.

POST https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/%40my-scope%2Fmy-package
Status: 401 Unauthorized
Response: {"message":"OIDC token exchange error - unauthorized"}

The OIDC token's iss claim is https://token.actions.githubusercontent.com/<enterprise-slug> (enterprise-scoped) instead of https://token.actions.githubusercontent.com (standard). The npm registry rejects the token because it only trusts the standard issuer URL.

All other claims are correct: repository, repository_owner, job_workflow_ref, and environment all match the trusted publisher configuration on npmjs.com.

Expected Behavior

The npm registry should accept OIDC tokens from enterprise-scoped GitHub Actions issuers (https://token.actions.githubusercontent.com/<enterprise-slug>).

These enterprise-scoped issuers share the same JWKS signing keys as the standard issuer, and the enterprise slug can be validated against the enterprise claim in the JWT.

GitHub Enterprise Cloud customers enable include_enterprise_slug as a security best practice to scope OIDC tokens for cloud providers (AWS, Azure, GCP). Disabling it to use npm trusted publishing degrades security posture for all other OIDC consumers, this is not an acceptable trade-off.

The identical problem exists on PyPI: pypi/warehouse#17700

Steps To Reproduce

1. Have a GitHub organization under a GitHub Enterprise with include_enterprise_slug enabled
2. Configure a trusted publisher on npmjs.com for a package in that org's repo
3. Run a GitHub Actions workflow with id-token: write permission that calls npm publish
4. The OIDC token exchange fails with 401 because the iss claim is https://token.actions.githubusercontent.com/<enterprise-slug> instead of https://token.actions.githubusercontent.com

The key OIDC token claims from a debug run confirm the issue, iss is enterprise-scoped (https://token.actions.githubusercontent.com/<enterprise-slug>) with issuer_scope: enterprise, while all other claims (repository, repository_owner, job_workflow_ref, aud) are correct and match the trusted publisher configuration.

Suggested fix: accept issuer URLs matching https://token.actions.githubusercontent.com/<slug> and optionally validate the enterprise claim matches the slug. The enterprise-scoped issuers share the same JWKS signing keys as the standard issuer.

Environment

npm: 11.12.1
Node.js: v24.14.1
OS: Ubuntu (GitHub Actions, ubuntu-latest)
Runner: GitHub-hosted
actions/setup-node: v6.1.0
Package: scoped (@org/package)

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐