Conversation
Trust relationship already established on npmjs. Add provenance flag.
There was a problem hiding this comment.
Pull request overview
This PR migrates the npm publishing workflow from token-based authentication to npm's trusted publishing using OIDC authentication. The trust relationship has already been established on npmjs.org, and this change adds the necessary GitHub Actions permissions and provenance flags to enable secure, token-less publishing.
Changes:
- Added OIDC permissions (
id-token: writeandcontents: read) to the workflow - Added
--provenanceflag to npm publish commands for transparency and attestation - Removed
NODE_AUTH_TOKENenvironment variable from publish steps
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| yarn publish --access public --provenance | ||
| sed -i -e 's#"@stellar/js-xdr"#"js-xdr"#' package.json | ||
| yarn publish | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| yarn publish --provenance |
There was a problem hiding this comment.
Yarn Classic (v1.x) does not support the --provenance flag. Based on the yarn.lock file showing 'yarn lockfile v1', this project uses Yarn Classic. The --provenance flag is only supported by npm v9.5.0+ and Yarn Berry (v2+). Consider using npm publish instead of yarn publish, or migrate to Yarn Berry if you want to continue using Yarn with provenance support.
There was a problem hiding this comment.
Big if true… we’re overdue for a package manager port but yeah sounds like we can’t do it this way until that’s done
There was a problem hiding this comment.
oof. we need to do this soon. npm has killed classic tokens and we can only provision 90 day tokens
There was a problem hiding this comment.
current token is already expired i believe
| run: | | ||
| V=$(cat package.json | jq '.version' | sed -e 's/\"//g') | ||
| echo "Deprecating js-xdr@$V" | ||
| npm deprecate js-xdr@"<= $V" "⚠️ This package has moved to @stellar/js-xdr! 🚚" |
There was a problem hiding this comment.
The npm deprecate command requires authentication but no longer has access to NODE_AUTH_TOKEN. With trusted publishing via OIDC, the authentication token should be automatically provided by the setup-node action when registry-url is configured. However, ensure that the npm deprecate command can authenticate using the OIDC token set up by setup-node. If this step fails, you may need to add an environment variable that references the token created by setup-node (typically available via NODE_AUTH_TOKEN environment variable that setup-node creates automatically).
|
Included with the pnpm migration in #130 |
3 participants
Trust relationship already established on npmjs. Add provenance flag.