From e32f5f22c870ae79f288d7fed5295db0bd0b3c78 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 04:21:18 +0000 Subject: [PATCH 1/5] Initial plan From 27d7f28c8b8e9defccb1fca0ec1a17b9395e7d7c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 04:26:04 +0000 Subject: [PATCH 2/5] feat: enable trusted publishing for npm releases - Add id-token: write permission for OIDC authentication - Configure setup-node with always-auth for trusted publishing - Remove NODE_AUTH_TOKEN secret usage - Add provenance and access flags to npm publish command - Add comprehensive documentation in docs/TRUSTED_PUBLISHING.md Co-authored-by: NoopDog <3239697+NoopDog@users.noreply.github.com> --- .github/workflows/release-please.yml | 6 +- docs/TRUSTED_PUBLISHING.md | 132 +++++++++++++++++++++++++++ 2 files changed, 135 insertions(+), 3 deletions(-) create mode 100644 docs/TRUSTED_PUBLISHING.md diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 83606042..13b5f6e9 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -7,6 +7,7 @@ on: permissions: contents: write pull-requests: write + id-token: write # Required for trusted publishing to npm name: release-please @@ -29,6 +30,7 @@ jobs: with: node-version: "22.12.0" registry-url: "https://registry.npmjs.org" + always-auth: true # Enable authentication for trusted publishing - name: Install dependencies if: ${{ steps.release.outputs.release_created }} @@ -40,6 +42,4 @@ jobs: - name: Publish to NPM if: ${{ steps.release.outputs.release_created }} - run: npm publish - env: - NODE_AUTH_TOKEN: ${{ secrets.DATABIOSPHERE_FINDABLE_UI_NPM_PUBLISH_TOKEN }} # Ensure this token is scoped to only the permissions required for npm publication to limit security risks. + run: npm publish --provenance --access public diff --git a/docs/TRUSTED_PUBLISHING.md b/docs/TRUSTED_PUBLISHING.md new file mode 100644 index 00000000..c482ad8b --- /dev/null +++ b/docs/TRUSTED_PUBLISHING.md @@ -0,0 +1,132 @@ +# Trusted Publishing Setup for NPM + +This repository uses GitHub's trusted publishing workflow to securely publish packages to npm without using long-lived access tokens. + +## What is Trusted Publishing? + +Trusted publishing is a security feature that allows GitHub Actions to publish packages to npm using short-lived, automatically generated tokens via OpenID Connect (OIDC). This eliminates the need to store long-lived npm tokens as repository secrets, reducing the attack surface and improving supply chain security. + +## Configuration + +### GitHub Actions Workflow + +The `.github/workflows/release-please.yml` workflow is configured with the following settings for trusted publishing: + +#### Required Permissions + +```yaml +permissions: + contents: write # Required for release-please to create releases + pull-requests: write # Required for release-please to create PRs + id-token: write # Required for trusted publishing to npm +``` + +The `id-token: write` permission enables the workflow to request OIDC tokens from GitHub's OIDC provider. + +#### Node.js Setup + +```yaml +- uses: actions/setup-node@v4 + with: + node-version: "22.12.0" + registry-url: "https://registry.npmjs.org" + always-auth: true # Enable authentication for trusted publishing +``` + +The `always-auth: true` setting ensures that authentication is enabled when publishing packages. + +#### Publishing with Provenance + +```yaml +- name: Publish to NPM + run: npm publish --provenance --access public +``` + +The `--provenance` flag enables build provenance, which creates a publicly verifiable link between the package and its source code and build. The `--access public` flag ensures the package is published as public. + +## NPM Setup Requirements + +To enable trusted publishing for this package on npm, you need to: + +1. **Log in to npm** and navigate to the package settings for `@databiosphere/findable-ui` +2. **Add a GitHub Actions Publishing Workflow**: + - Go to the package's publishing settings + - Click "Add GitHub Actions Publishing Workflow" + - Configure the trusted publisher with: + - **Repository**: `DataBiosphere/findable-ui` + - **Workflow**: `.github/workflows/release-please.yml` + - **Environment**: (leave blank, no environment is used) + +3. **Verify the Configuration**: + - Ensure the trusted publisher is listed in the package settings + - The workflow will use OIDC to authenticate automatically when publishing + +## Security Benefits + +- **No Long-Lived Tokens**: Eliminates the need to store npm access tokens as GitHub secrets +- **Automatic Rotation**: Tokens are short-lived and automatically generated for each workflow run +- **Build Provenance**: The `--provenance` flag creates verifiable attestations linking the package to its source +- **Reduced Attack Surface**: Compromised secrets cannot be used outside the workflow context +- **Audit Trail**: All publishes are tied to specific GitHub Actions workflow runs + +## Migration Notes + +### Removed Configuration + +The following configuration is no longer needed with trusted publishing: + +- **Repository Secret**: `DATABIOSPHERE_FINDABLE_UI_NPM_PUBLISH_TOKEN` - This secret can be safely removed from the repository settings as it is no longer used +- **NODE_AUTH_TOKEN Environment Variable**: No longer required in the publish step + +### Workflow Changes + +1. Added `id-token: write` permission +2. Added `always-auth: true` to `setup-node` action +3. Removed `NODE_AUTH_TOKEN` environment variable from publish step +4. Added `--provenance` and `--access public` flags to `npm publish` + +## Testing + +To test the trusted publishing workflow: + +1. Create a test commit on a feature branch +2. Merge to the `main` branch +3. If the commit triggers a release (based on conventional commits), the workflow will: + - Create a release PR via release-please + - Once merged, create a GitHub release + - Automatically publish to npm using trusted publishing + +Monitor the workflow run in the Actions tab to verify successful publication. + +## References + +- [npm Trusted Publishers Documentation](https://docs.npmjs.com/trusted-publishers) +- [GitHub: Publishing Node.js Packages](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages/publishing-nodejs-packages-from-github-actions) +- [npm Provenance Documentation](https://docs.npmjs.com/generating-provenance-statements) +- [OpenID Connect in GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) + +## Troubleshooting + +### Publishing Fails with Authentication Error + +If the workflow fails with an authentication error: + +1. Verify that trusted publishing is properly configured on npm for the package +2. Ensure the repository, workflow path, and environment (if any) match exactly in the npm settings +3. Confirm that the workflow has the `id-token: write` permission + +### Provenance Attestation Not Generated + +If the package is published but provenance is not attached: + +1. Ensure the `--provenance` flag is included in the `npm publish` command +2. Verify that the workflow has `id-token: write` permission +3. Check that the package is being published from a supported environment (GitHub Actions) + +### Package Access Issues + +If the package fails to publish due to access issues: + +1. Ensure the `--access public` flag is set (for public packages) +2. Verify that the npm package settings allow public access +3. Confirm that the organization and package name are correct From 8d59a140cee01939cf413947254167dfc2ceb5c4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 04:27:50 +0000 Subject: [PATCH 3/5] docs: add safety note about removing npm secret Co-authored-by: NoopDog <3239697+NoopDog@users.noreply.github.com> --- docs/TRUSTED_PUBLISHING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/TRUSTED_PUBLISHING.md b/docs/TRUSTED_PUBLISHING.md index c482ad8b..1fcddc48 100644 --- a/docs/TRUSTED_PUBLISHING.md +++ b/docs/TRUSTED_PUBLISHING.md @@ -75,7 +75,7 @@ To enable trusted publishing for this package on npm, you need to: The following configuration is no longer needed with trusted publishing: -- **Repository Secret**: `DATABIOSPHERE_FINDABLE_UI_NPM_PUBLISH_TOKEN` - This secret can be safely removed from the repository settings as it is no longer used +- **Repository Secret**: `DATABIOSPHERE_FINDABLE_UI_NPM_PUBLISH_TOKEN` - This secret can be safely removed from the repository settings as it is no longer used. **Important**: Only remove this secret after confirming the trusted publishing workflow works successfully in production to avoid disrupting the release process. - **NODE_AUTH_TOKEN Environment Variable**: No longer required in the publish step ### Workflow Changes From 65c1f17aeb2e0e3aec3112df2b9499660fecabf1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 05:15:13 +0000 Subject: [PATCH 4/5] style: run prettier on TRUSTED_PUBLISHING.md Co-authored-by: NoopDog <3239697+NoopDog@users.noreply.github.com> --- docs/TRUSTED_PUBLISHING.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/TRUSTED_PUBLISHING.md b/docs/TRUSTED_PUBLISHING.md index 1fcddc48..cb0ebc56 100644 --- a/docs/TRUSTED_PUBLISHING.md +++ b/docs/TRUSTED_PUBLISHING.md @@ -16,9 +16,9 @@ The `.github/workflows/release-please.yml` workflow is configured with the follo ```yaml permissions: - contents: write # Required for release-please to create releases - pull-requests: write # Required for release-please to create PRs - id-token: write # Required for trusted publishing to npm + contents: write # Required for release-please to create releases + pull-requests: write # Required for release-please to create PRs + id-token: write # Required for trusted publishing to npm ``` The `id-token: write` permission enables the workflow to request OIDC tokens from GitHub's OIDC provider. @@ -30,7 +30,7 @@ The `id-token: write` permission enables the workflow to request OIDC tokens fro with: node-version: "22.12.0" registry-url: "https://registry.npmjs.org" - always-auth: true # Enable authentication for trusted publishing + always-auth: true # Enable authentication for trusted publishing ``` The `always-auth: true` setting ensures that authentication is enabled when publishing packages. From 2d6b548c8b134d2e2ca370a2375873f8250bcaaf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Dec 2025 05:30:23 +0000 Subject: [PATCH 5/5] fix: apply prettier 2.8.3 formatting (#0) Use project's prettier version (2.8.3) instead of npx version (3.7.4) to ensure consistent formatting with CI checks. --- docs/TRUSTED_PUBLISHING.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/TRUSTED_PUBLISHING.md b/docs/TRUSTED_PUBLISHING.md index cb0ebc56..6fccaf4d 100644 --- a/docs/TRUSTED_PUBLISHING.md +++ b/docs/TRUSTED_PUBLISHING.md @@ -50,6 +50,7 @@ To enable trusted publishing for this package on npm, you need to: 1. **Log in to npm** and navigate to the package settings for `@databiosphere/findable-ui` 2. **Add a GitHub Actions Publishing Workflow**: + - Go to the package's publishing settings - Click "Add GitHub Actions Publishing Workflow" - Configure the trusted publisher with: