[RRFC] Feature Request: Adding Bitbucket Pipelines as a trusted NPM publisher

[ShirlZhou1]

[RRFC] Feature Request: Add Bitbucket Pipelines as a trusted NPM publisher

Motivation

Npm currently does not support Bitbucket Pipelines as a trusted publisher and now that classic tokens are no longer supported we want to ensure users are able to publish to NPM without being reliant on tokens.

This will allow us to stay up to date with security best practices and allow users to enable NPM into their CI/CD workflow more easily.

We have added the ability to enable NPM as an audience so this integration is possible

source: https://github.blog/changelog/2025-11-05-npm-security-update-classic-token-creation-disabled-and-granular-token-changes/
source: https://docs.npmjs.com/trusted-publishers

How

Current Behaviour

Currently bitbucket pipelines is not a trusted publisher so users have to rely upon tokens to publish to NPM.

Desired Behaviour

Currently Github Actions & Gitlab CI/CD are able to be selected as a publisher with configurations to control publishing access we want an equivalent for Bitbucket Pipelines that looks something like:

Publisher

Bitbucket Pipelines

Workspace*             /       Repo*

{workspaceUuid}     /      {RepositoryUuid}

Deployment UUID (Optional)

{deploymentEnvironmentUuid}

Authorising the trusted publisher

The OIDC token will have the following attributes inside that can be used to verify the publisher is the same as the configured trusted publisher

• workspaceUuid
• repositoryUuid
• deploymentEnvironmentUuid

Example of claims

{
	"sub": "{60518816-1111-1111-1111-555555c267ed}:{2df4c531-1111-1111-1111-5555556048f8c}:{stepUuid}",
	"aud": "ari:cloud:bitbucket::workspace/3a8a18b2-1111-1111-1111-55555519a6f30",
	"stepUuid": "{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}",
	"deploymentEnvironmentUuid": "{2df4c531-1111-1111-1111-5555556048f8c}",
	"iss": "https://api.bitbucket.org/2.0/workspaces/bitbucket-workspace/pipelines-config/identity/oidc",
	"repositoryUuid": "{60518816-1111-1111-1111-555555c267ed}",
	"branchName": "xxxxxxxxx",
	"exp": "xxxxxxxxxx",
	"iat": "xxxxxxxxxx",
	"pipelineUuid": "{xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxx}",
	"workspaceUuid": "{3a8a18b2-1111-1111-1111-55555519a6f30}"
}

Authenticating the OIDC Token

The pipeline will send a JWT containing claims containing information that is needed to authorise the pipeline to publish to NPM.

The JWT can then be authenticated using RSA keys found via:

• jwks_uri link found in https://api.bitbucket.org/2.0/workspaces/{bitbucket-workspace}/pipelines-config/identity/oidc/.well-known/openid-configuration
• Or through https://api.bitbucket.org/2.0/workspaces/{bitbucket-workspace}/pipelines-config/identity/oidc/keys.json url directly