Add OIDC trusted publishing + staged npm releases via GitHub Actions#447
Draft
patocallaghan wants to merge 3 commits into
Draft
Add OIDC trusted publishing + staged npm releases via GitHub Actions#447patocallaghan wants to merge 3 commits into
patocallaghan wants to merge 3 commits into
Conversation
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…d runtime Apply the fixes validated on the passport-intercom and cli publish workflows: - verify: use fetch-depth: 0 and drop the manual `git fetch --depth=1`, so the default-branch ancestry check has the history it needs (the double-shallow version could only pass when the tag was the branch tip) - add a top-level concurrency group so overlapping releases serialize instead of racing for a dist-tag - add timeout-minutes: 15 to stage-publish Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
Moves npm publishing onto short-lived, per-run OIDC credentials with a human approval step, removing the need for a stored long-lived npm token.
How?
Adds a release-triggered GitHub Actions workflow that authenticates to npm via OIDC (no token) and uses npm's staged publishing, so each release is queued for a maintainer to approve before it goes live.
Opened as an alternative for discussion against the existing migration:
The difference: this layers a human staged-approval gate (
npm stage publish) on top of OIDC, rather than publishing directly on release.Generated with Claude Code