PREQ-5138 authenticate NPM

[julien-carsique-sonarsource]

Depends on https://github.com/SonarSource/re-terraform-aws-vault/pull/8923

[hashicorp-vault-sonar-prod]

PREQ-5138

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Summary

This PR adds NPM authentication to the CI workflow to support access to private packages (likely via JFrog Repox). It makes three key changes:

1. Switches the workflow runner to github-ubuntu-latest-s (a specific runner configuration)
2. Adds OIDC (id-token: write) and content permissions to enable temporary credential generation
3. Adds a new step that runs SonarSource/ci-github-actions/config-npm@v1 to configure NPM authentication

This enables the workflow to authenticate with the private NPM registry without embedding static credentials in the codebase. The actual authentication is delegated to the SonarSource reusable action, which likely exchanges the OIDC token for temporary Repox credentials.

What reviewers should know

Reviewer focus areas:

• Runner change: The switch to github-ubuntu-latest-s is critical—verify this runner is available in your infrastructure and supports the authentication flow. If this runner doesn't exist or lacks OIDC support, the workflow will fail.

• Permission scope: The id-token: write permission enables OIDC token generation. Confirm this aligns with your security policies for temporary credential generation. The contents: write permission may already be present in your workflows—verify it's actually needed here or if it's redundant.

• External dependency: The config depends on SonarSource/ci-github-actions@v1. This action is external and reusable—check that it's well-maintained and understand what it does under the hood (does it modify .npmrc? Set env vars?). The linked terraform PR (#8923) likely contains the infrastructure setup required for this to work.

• Testing: Ensure the workflow runs successfully with these changes. The new step will silently fail if the runner lacks OIDC support or if the Repox backend is misconfigured.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

Small, focused change. One permission concern worth addressing before merge.

🗣️ Give feedback

[sonar-review-alpha]

Overly permissive scope: contents: write grants the ability to push commits and modify repository contents. This workflow only checks out code, installs dependencies, and runs tests — none of that requires write access.

The default contents: read is sufficient here. If config-npm@v1 genuinely requires contents: write, that should be documented — but it would be unusual for an NPM authentication action to need it.

Drop this to read unless there is a concrete reason it must be write.

Suggested change

	contents: write
	id-token: write
	contents: read

• Mark as noise