Skip to content

ci: configure npm trusted publishing with provenance#7061

Draft
serhalp wants to merge 9 commits into
mainfrom
claude/slack-session-78quP
Draft

ci: configure npm trusted publishing with provenance#7061
serhalp wants to merge 9 commits into
mainfrom
claude/slack-session-78quP

Conversation

@serhalp

@serhalp serhalp commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Port release.yml workflow (stable releases) from CircleCI to GitHub Actions
    • This ported workflow does not use NPM_TOKEN. It uses Trusted Publishing with an OIDC token. It uses provenance attestation.
  • Update pre-release.yml custom workflow to use https://pkg.pr.new instead

See also

Prerequisites:

@coderabbitai

coderabbitai Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c220441c-da69-4778-960f-d1f28fb41202

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/slack-session-78quP

Comment @coderabbitai help to get the list of available commands.

Comment thread .github/workflows/release.yml Outdated

publish:
needs: release-please
if: ${{ needs.release-please.outputs.releases_created == 'true' }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on npm publishing flakes when release-please run determine that release was created, but actual publish fails (i.e. some network or npm registry issues) this would mean there is no way to "retry" to actually publish to npm, so this is a change from the way CircleCi workflow works

Comment thread .github/workflows/release.yml
claude and others added 6 commits June 24, 2026 11:15
- Add release.yml workflow using release-please-action for stable releases
- Update pre-release.yml with OIDC permissions and --provenance flag
- Remove release-please job from CircleCI (update-lockfile stays)

https://claude.ai/code/session_011HCWQbTc6LTeMxgdwTH2R6
Pin actions to their full commit SHAs with version comments for
security (immutable references) and readability.

https://claude.ai/code/session_01HtVRxL8TMLfQTbTvvaLYWz
With id-token: write permission and trusted publishing configured
on npmjs.com, npm uses the short-lived OIDC token automatically.
NODE_AUTH_TOKEN was bypassing OIDC and using the long-lived token.

https://claude.ai/code/session_01NmU7gnap9unNWgcsUyN3J7
@serhalp serhalp force-pushed the claude/slack-session-78quP branch from 10567dd to 76fd373 Compare June 24, 2026 15:33
Comment thread .github/workflows/pre-release.yml Fixed
@serhalp serhalp changed the title ci: move npm publish to GHA for trusted publishing with provenance ci: configure npm trusted publishing with provenance Jun 24, 2026
Comment thread .github/workflows/pre-release.yml Fixed
@pkg-pr-new

pkg-pr-new Bot commented Jun 24, 2026

Copy link
Copy Markdown

Open in StackBlitz

@netlify/build

npm i https://pkg.pr.new/@netlify/build@7061

@netlify/build-info

npm i https://pkg.pr.new/@netlify/build-info@7061

@netlify/cache-utils

npm i https://pkg.pr.new/@netlify/cache-utils@7061

@netlify/config

npm i https://pkg.pr.new/@netlify/config@7061

@netlify/edge-bundler

npm i https://pkg.pr.new/@netlify/edge-bundler@7061

@netlify/functions-utils

npm i https://pkg.pr.new/@netlify/functions-utils@7061

@netlify/git-utils

npm i https://pkg.pr.new/@netlify/git-utils@7061

@netlify/headers-parser

npm i https://pkg.pr.new/@netlify/headers-parser@7061

@netlify/api

npm i https://pkg.pr.new/@netlify/api@7061

@netlify/nock-udp

npm i https://pkg.pr.new/@netlify/nock-udp@7061

@netlify/opentelemetry-sdk-setup

npm i https://pkg.pr.new/@netlify/opentelemetry-sdk-setup@7061

@netlify/opentelemetry-utils

npm i https://pkg.pr.new/@netlify/opentelemetry-utils@7061

@netlify/redirect-parser

npm i https://pkg.pr.new/@netlify/redirect-parser@7061

@netlify/run-utils

npm i https://pkg.pr.new/@netlify/run-utils@7061

@netlify/zip-it-and-ship-it

npm i https://pkg.pr.new/@netlify/zip-it-and-ship-it@7061

commit: b12382c

Comment thread .circleci/config.yml
- checkout
- npm-install-deps
- run: npm run build
- run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK this was never actually needed. possibly copypasta.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might have been needed at least at some point - lerna/lerna#2404 (comment)

But doesn't matter anymore with trusted publishing

Comment thread .github/workflows/pre-release.yml Outdated
Comment on lines 9 to 22
@github-actions

Copy link
Copy Markdown
Contributor

📊 Dependency Size Changes

Warning

This PR adds 4.5 MB of new dependencies, which exceeds the threshold of 100 kB.

📦 Package 📏 Size
pkg-pr-new@0.0.75 4.5 MB

Total size change: 4.5 MB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants