ci: configure npm trusted publishing with provenance#7061
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
|
||
| publish: | ||
| needs: release-please | ||
| if: ${{ needs.release-please.outputs.releases_created == 'true' }} |
There was a problem hiding this comment.
on npm publishing flakes when release-please run determine that release was created, but actual publish fails (i.e. some network or npm registry issues) this would mean there is no way to "retry" to actually publish to npm, so this is a change from the way CircleCi workflow works
- Add release.yml workflow using release-please-action for stable releases - Update pre-release.yml with OIDC permissions and --provenance flag - Remove release-please job from CircleCI (update-lockfile stays) https://claude.ai/code/session_011HCWQbTc6LTeMxgdwTH2R6
Pin actions to their full commit SHAs with version comments for security (immutable references) and readability. https://claude.ai/code/session_01HtVRxL8TMLfQTbTvvaLYWz
With id-token: write permission and trusted publishing configured on npmjs.com, npm uses the short-lived OIDC token automatically. NODE_AUTH_TOKEN was bypassing OIDC and using the long-lived token. https://claude.ai/code/session_01NmU7gnap9unNWgcsUyN3J7
10567dd to
76fd373
Compare
@netlify/build
@netlify/build-info
@netlify/cache-utils
@netlify/config
@netlify/edge-bundler
@netlify/functions-utils
@netlify/git-utils
@netlify/headers-parser
@netlify/api
@netlify/nock-udp
@netlify/opentelemetry-sdk-setup
@netlify/opentelemetry-utils
@netlify/redirect-parser
@netlify/run-utils
@netlify/zip-it-and-ship-it
commit: |
| - checkout | ||
| - npm-install-deps | ||
| - run: npm run build | ||
| - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc |
There was a problem hiding this comment.
AFAIK this was never actually needed. possibly copypasta.
There was a problem hiding this comment.
I think it might have been needed at least at some point - lerna/lerna#2404 (comment)
But doesn't matter anymore with trusted publishing
📊 Dependency Size ChangesWarning This PR adds 4.5 MB of new dependencies, which exceeds the threshold of 100 kB.
Total size change: 4.5 MB |
Summary
release.ymlworkflow (stable releases) from CircleCI to GitHub ActionsNPM_TOKEN. It uses Trusted Publishing with an OIDC token. It uses provenance attestation.pre-release.ymlcustom workflow to use https://pkg.pr.new insteadSee also
Prerequisites: