ci(release): switch npm publish to provenance-based auth#209
Conversation
Add explicit permissions for OIDC token and contents access. Remove NODE_AUTH_TOKEN in favor of npm provenance publishing, which provides stronger supply chain security guarantees. Signed-off-by: Kevin Cui <bh@bugs.cc>
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings. WalkthroughThis change modifies the GitHub Actions release workflow configuration file. A permissions block is added to the workflow, granting explicit access to Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Pre-merge checks✅ Passed checks (2 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR modernizes the npm publishing workflow by switching from token-based authentication to provenance-based publishing, which provides enhanced supply chain security through cryptographic attestation of package origin.
Key Changes:
- Added OIDC token and contents write permissions to enable provenance publishing
- Removed NODE_AUTH_TOKEN environment variable from the publish step
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -47,5 +51,3 @@ jobs: | |||
| - name: Publish | |||
| run: | | |||
| pnpm publish --access public --no-git-checks | |||
There was a problem hiding this comment.
The publish command is missing the --provenance flag, which is required for npm provenance publishing. Without this flag, the id-token permissions and removal of NODE_AUTH_TOKEN will cause the publish step to fail due to authentication errors. Add --provenance to the pnpm publish command to enable provenance-based authentication.
| pnpm publish --access public --no-git-checks | |
| pnpm publish --provenance --access public --no-git-checks |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/release.yml (2)
1-1: Fix typo in workflow name.The workflow name has a typo: "Rlease" should be "Release". This appears in the GitHub Actions UI.
🔎 Proposed fix
-name: Rlease +name: Release
51-53: Add--provenanceflag to enable npm provenance attestations.The
pnpm publishcommand is missing the--provenanceflag required to generate npm provenance attestations. pnpm v8.4.0+ supports this flag, and it is necessary for provenance-based publishing to function with the OIDC token configured in this workflow.Proposed fix
- name: Publish run: | - pnpm publish --access public --no-git-checks + pnpm publish --access public --no-git-checks --provenance
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
15-16: Consider updating to v4 of GitHub Actions.Both
actions/checkoutandactions/setup-nodehave v4 versions available with improvements and security updates.🔎 Proposed updates
- name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 18 registry-url: 'https://registry.npmjs.org'Also applies to: 18-19
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/release.yml
🔇 Additional comments (1)
.github/workflows/release.yml (1)
7-9: LGTM! Permissions correctly configured for provenance-based publishing.The
id-token: writepermission enables OIDC token generation for npm provenance, andcontents: writeallows the workflow to create GitHub releases.
1 participant
Add explicit permissions for OIDC token and contents access. Remove NODE_AUTH_TOKEN in favor of npm provenance publishing, which provides stronger supply chain security guarantees.