feat(prd-048): npm Trusted Publishing (OIDC) — supersede D-2's Automation token#105
Merged
Merged
Conversation
…supersede D-2 Operator decision: use npm Trusted Publishing (tokenless OIDC) instead of a long-lived Automation token. Keep OIDC provenance. release.yaml: - Remove the NPM_TOKEN token gate + NODE_AUTH_TOKEN env from the publish steps. Auth is now OIDC: GitHub Actions presents a short-lived id-token that npm verifies against the trusted publisher configured on the package. No stored npm secret (HONEYCOMB_POSTHOG_KEY is now the only release secret). - Gate the real publish on a tag push (github.ref_type == 'tag' && !dry_run) rather than token presence; workflow_dispatch always dry-runs. - Add `npm install -g npm@^11.5.1` after Setup Node — Node 22 ships npm 10.x, but OIDC Trusted Publishing needs npm >= 11.5.1 or the handshake never engages. Keep --provenance --access public. Docs (supersede, not erase): - index.md: D-2 struck + retained; new D-2′ (Trusted Publishing, no NPM_TOKEN). Go-public switch (d) → "configure the trusted publisher"; risks/ACs reconciled. - 048a: org-provisioning ACs kept; token ACs → trusted-publisher config ACs + the first-publish bootstrap nuance (trusted publisher requires the package to exist → one manual 2FA publish, then OIDC for all CI publishes). - RELEASING.md + 048d reconciled to the tokenless/trigger-gated model. Note for 048d: the publishability preflight still fails-closed even on a dry-run while private:true (unchanged by this auth swap) — left to 048d's rehearsal-green scope. npm run ci green (3252 tests). release.yaml YAML parses; zero functional NPM_TOKEN refs remain. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (4)
📝 WalkthroughWalkthroughThe release workflow, release guidance, and PRD documents now describe npm Trusted Publishing with GitHub OIDC instead of Changesnpm Trusted Publishing rollout
Sequence Diagram(s)sequenceDiagram
participant GitHubActions as GitHub Actions
participant ReleaseWorkflow as release.yaml
participant NpmTrustedPublishing as npm Trusted Publishing
participant NpmRegistry as npm registry
GitHubActions->>ReleaseWorkflow: start on tag push or workflow_dispatch
ReleaseWorkflow->>ReleaseWorkflow: resolve publish mode from github.ref_type and dry_run
alt real publish
ReleaseWorkflow->>NpmTrustedPublishing: request OIDC auth with id-token: write
NpmTrustedPublishing->>NpmRegistry: authorize npm publish --provenance --access public
ReleaseWorkflow->>NpmRegistry: publish package
else dry-run
ReleaseWorkflow->>ReleaseWorkflow: run npm publish --dry-run
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yaml:
- Around line 190-201: The publish-mode logic in the Resolve publish mode step
currently sets publish=true for any tag ref with dry_run=false, which can happen
on workflow_dispatch and allow an unintended real release. Update the condition
in the mode step to require a push event as well as a tag ref before enabling
real publish, and keep all other cases routed to the dry-run branch.
- Around line 93-95: The release workflow currently installs npm with a floating
major range, which can change the CLI version at publish time. In the release
job, update the npm upgrade step in the workflow to use one exact reviewed npm
version instead of the caret range, and keep bumping it intentionally when
needed; the Trusted Publishing requirement is still satisfied as long as the
chosen version is at least 11.5.1.
- Line 83: The release workflow still uses tag-based third-party actions, so
update the actions in the publish job to full commit SHAs instead of version
tags. Locate the workflow entries for actions/checkout, actions/setup-node, and
softprops/action-gh-release, and replace each referenced tag with the
corresponding reviewed SHA so the release process does not follow moved tags.
- Line 87: The publish workflow is still enabling setup-node package-manager
caching via the release job’s cache setting. Update the workflow configuration
around the setup-node step in the release/publish job to disable package-manager
caching by setting package-manager-cache to false, while keeping npm ci for
dependency installation.
- Around line 77-79: Clarify the npm publish auth setup in the release workflow
comments around the registry configuration: `registry-url` may still create
`.npmrc` scaffolding, but the important invariant is that no npm token is
provided anywhere in this trusted publishing path. Update the wording near the
release job setup to reflect that `npm publish` authorization comes from
OIDC/trusted publishing, not from `NODE_AUTH_TOKEN` or any token value, and keep
the explanation aligned with the existing release workflow symbols and comments.
In
`@library/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048-npm-publishing-pipeline-index.md`:
- Around line 31-32: Update the superseded auth cross-reference in the PRD note
to point to D-2′ instead of D-2, since D-2 is already replaced later in the same
document. Find the supersession note near the D-2 reference in
prd-048-npm-publishing-pipeline-index.md and change the reference so readers
follow the newer decision history.
In
`@library/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048a-npm-org-provisioning.md`:
- Around line 81-86: The Dependencies section conflates workflow auth with
npm-side setup; update the wording to separate `release.yaml`’s OIDC publish
path from the actual npm trusted publisher configuration. Clarify that GitHub
repo admin access is needed to configure the trusted publisher in npm, and
explicitly state the npm account ownership/maintainer requirement so it’s clear
who owns the npm-side setup.
In
`@library/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048d-rehearsal-verification.md`:
- Around line 57-63: The risk text in the rehearsal verification section is
overstating the role of the workflow_dispatch dry_run checkbox; update the
wording in the “Risks / Out of scope” entry for this PRD so it makes clear that
workflow_dispatch stays dry-run because it is not a tag ref. Revise the
mitigation language to emphasize “no vX.Y.Z tag pushed” as the real safeguard,
and keep the focus on the tag-push publish path rather than implying dry_run
prevents publishing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 64945f6f-b373-4d69-9422-53b996e7fd75
📒 Files selected for processing (5)
.github/workflows/release.yamlRELEASING.mdlibrary/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048-npm-publishing-pipeline-index.mdlibrary/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048a-npm-org-provisioning.mdlibrary/requirements/backlog/prd-048-npm-publishing-pipeline/prd-048d-rehearsal-verification.md
…blish job Three legitimate CodeRabbit/zizmor findings on the trusted-publishing workflow: - Major (Data Integrity): a workflow_dispatch CAN target a tag ref, so 'ref_type==tag && !dry_run' could flip publish=true on a manual run. Add github.event_name=='push' to the real-publish gate so a dispatch ALWAYS rehearses. (Real publishes only from a pushed tag.) - Major (Security): drop 'cache: npm' on the publish job — a lower-privilege workflow could poison an npm cache that this high-privilege release build then executes (cache-poisoning). npm ci installs from the committed lockfile. - Major (Security): pin the npm upgrade to an exact version (npm@11.6.2) instead of '^11.5.1' so a release never runs an unreviewed CLI; still satisfies the OIDC >= 11.5.1 floor. Declined (with reason): full-SHA action pinning — these refs (checkout@v4.2.2, setup-node@v6.4.0, action-gh-release@v2.4.1) are pre-existing version-tag pins matching the repo-wide convention; not changing pinning granularity for one workflow. Doc minors: index xref → D-2′; 048a clarifies release.yaml consumes (not configures) the publisher; 048d guard wording aligned to the new event_name=='push' gate. release.yaml parses; npm run ci unaffected (workflow+docs only). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Amends PRD-048 to authenticate the npm publish with Trusted Publishing (tokenless OIDC) instead of a long-lived org Automation token — superseding decision D-2. OIDC provenance (D-7) stays. No
NPM_TOKENsecret ever..github/workflows/release.yamlNPM_TOKENtoken gate and theNODE_AUTH_TOKENenv from the publish steps. Auth is now OIDC: Actions presents a short-livedid-tokenthat npm verifies against the trusted publisher configured on the package.HONEYCOMB_POSTHOG_KEYbecomes the only release secret.github.ref_type == 'tag' && !dry_run) rather than token presence;workflow_dispatchalways dry-runs.npm install -g npm@^11.5.1after Setup Node — Node 22 ships npm 10.x, but OIDC Trusted Publishing requires npm ≥ 11.5.1 or the handshake never engages. Kept--provenance --access public,id-token: write, the dry-run rehearsal, the gate, the version guard, and the publishability preflight.Docs (supersede, not erase)
Notes
private: true— that's 048d's rehearsal-green scope.npm run cigreen (3252).release.yamlparses; zero functionalNPM_TOKENrefs remain.Operator's remaining off-repo steps (unchanged count): create the npm org, the one bootstrap publish, and configure the trusted publisher on npm (org
legioncodeinc+ repohoneycomb+ workflowrelease.yaml) — instead of minting/storing a token.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
npm publish --dry-run.Bug Fixes
Documentation
NPM_TOKEN).