feat(ci): use npm trusted publishing with OIDC#5806
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
Deploying egg-v3 with
|
| Latest commit: |
ce10c18
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e40db30b.egg-v3.pages.dev |
| Branch Preview URL: | https://fix-release-provenance.egg-v3.pages.dev |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## next #5806 +/- ##
=======================================
Coverage 85.23% 85.23%
=======================================
Files 650 650
Lines 12518 12518
Branches 1436 1436
=======================================
Hits 10670 10670
Misses 1728 1728
Partials 120 120 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)
113-135:⚠️ Potential issue | 🔴 CriticalOIDC trusted publishing requires npm CLI ≥ 11.5.1, but Node 24 ships with npm 11.0.0 — the workflow will fail to authenticate.
The workflow relies on
actions/setup-nodewith GitHub OIDC (id-token: write) to exchange an OIDC token for npm registry authentication. This token exchange is performed by npm CLI itself (≥ 11.5.1), not by pnpm. While pnpm does delegate publishing to the npm binary, Node 24 initially shipped with npm 11.0.0, which does not yet support OIDC trusted publishing. As a result,pnpm -r publishwill invoke an npm version that cannot perform the OIDC exchange, causing authentication to fail.Recommended fix: Add an npm upgrade step before publishing to ensure npm ≥ 11.5.1 is available:
Upgrade npm for OIDC support
+ - name: Upgrade npm for OIDC trusted publishing + run: npm install -g npm@latest + - name: Publish packages (dry run)Alternatively, replace
pnpm -r publishwithnpm publish --workspaces, which makes the npm CLI invocation explicit and ensures OIDC token exchange happens correctly. The--access publicadditions are correct and necessary for scoped packages.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yml around lines 113 - 135, The workflow uses pnpm -r publish which relies on the system npm binary, but Node 24 ships with npm 11.0.0 and lacks OIDC trusted publishing support; update the job to ensure npm ≥ 11.5.1 before publishing (after actions/setup-node with id-token: write) or replace the pnpm invocation with an explicit npm publish --workspaces call so the npm CLI performs the OIDC exchange; locate the publish steps referencing "pnpm -r publish" and the job names "Publish packages (dry run)" / "Publish packages" and either add an npm upgrade step (npm install -g npm@>=11.5.1) prior to those runs or swap to npm publish --workspaces --access public (keeping the prerelease tag logic).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/release.yml:
- Around line 113-135: The workflow uses pnpm -r publish which relies on the
system npm binary, but Node 24 ships with npm 11.0.0 and lacks OIDC trusted
publishing support; update the job to ensure npm ≥ 11.5.1 before publishing
(after actions/setup-node with id-token: write) or replace the pnpm invocation
with an explicit npm publish --workspaces call so the npm CLI performs the OIDC
exchange; locate the publish steps referencing "pnpm -r publish" and the job
names "Publish packages (dry run)" / "Publish packages" and either add an npm
upgrade step (npm install -g npm@>=11.5.1) prior to those runs or swap to npm
publish --workspaces --access public (keeping the prerelease tag logic).
There was a problem hiding this comment.
Pull request overview
This PR modernizes the npm publishing workflow by migrating to OIDC-based trusted publishing, eliminating the need for static npm tokens. The workflow already has the required OIDC infrastructure (id-token: write permission and registry-url configuration), so this change simply adds the --access public flag to ensure all packages are published publicly.
Changes:
- Add
--access publicflag to allpnpm publishcommands (both dry-run and production) - Leverage existing OIDC setup for secure, token-less npm authentication
- Enable automatic provenance attestation generation via OIDC
Deploying egg with
|
| Latest commit: |
ce10c18
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://701369cc.egg-cci.pages.dev |
| Branch Preview URL: | https://fix-release-provenance.egg-cci.pages.dev |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
tegg/plugin/mcp-proxy/package.json (2)
16-20:⚠️ Potential issue | 🟡 MinorMissing
licensefield.All peer packages in the monorepo (
dal-decorator,core-decorator,dal-runtime, etc.) declare"license": "MIT", but this file omits the field entirely. npm will default to unlicensed, which affects auditability and consumer tooling.🛡️ Proposed fix
"repository": { "type": "git", "url": "git+https://github.com/eggjs/egg.git", "directory": "tegg/plugin/mcp-proxy" }, + "license": "MIT", "files": [🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tegg/plugin/mcp-proxy/package.json` around lines 16 - 20, The package.json is missing a top-level "license" field; add "license": "MIT" to the package.json (near the existing "repository" object) so the package aligns with peers like dal-decorator/core-decorator and is correctly marked for npm and audits—ensure the key is a top-level property named license with value "MIT".
54-65:⚠️ Potential issue | 🟠 MajorChange
cluster-clientandcontent-typeto usecatalog:protocol — both are already defined inpnpm-workspace.yaml.
cluster-clientshould be"cluster-client": "catalog:"(currently^3.7.0)content-typeshould be"content-type": "catalog:"(currently^1.0.5)Additionally, the following dependencies used across the monorepo are not yet in the catalog:
@modelcontextprotocol/sdk,eventsource-parser,raw-body,eventsourceEither add these to the
pnpm-workspace.yamlcatalog and reference them withcatalog:, or provide justification if they should remain as explicit versions specific to this plugin.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tegg/plugin/mcp-proxy/package.json` around lines 54 - 65, Update the dependency entries in package.json so "cluster-client" and "content-type" use the monorepo catalog protocol (change their versions to "catalog:"), and then either add the other shared packages "@modelcontextprotocol/sdk", "eventsource-parser", "raw-body", and "eventsource" to the pnpm-workspace.yaml catalog and reference them with "catalog:" as well, or document why each of those should remain pinned to a specific version; key symbols to change/inspect are the "dependencies" entries for "cluster-client" and "content-type" and the catalog section in pnpm-workspace.yaml for the other package names.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@tegg/plugin/mcp-proxy/package.json`:
- Around line 16-20: The package.json is missing a top-level "license" field;
add "license": "MIT" to the package.json (near the existing "repository" object)
so the package aligns with peers like dal-decorator/core-decorator and is
correctly marked for npm and audits—ensure the key is a top-level property named
license with value "MIT".
- Around line 54-65: Update the dependency entries in package.json so
"cluster-client" and "content-type" use the monorepo catalog protocol (change
their versions to "catalog:"), and then either add the other shared packages
"@modelcontextprotocol/sdk", "eventsource-parser", "raw-body", and "eventsource"
to the pnpm-workspace.yaml catalog and reference them with "catalog:" as well,
or document why each of those should remain pinned to a specific version; key
symbols to change/inspect are the "dependencies" entries for "cluster-client"
and "content-type" and the catalog section in pnpm-workspace.yaml for the other
package names.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (75)
package.jsonpackages/cluster/package.jsonpackages/cookies/package.jsonpackages/core/package.jsonpackages/egg/package.jsonpackages/errors/package.jsonpackages/extend2/package.jsonpackages/koa-static-cache/package.jsonpackages/koa/package.jsonpackages/logger/package.jsonpackages/path-matching/package.jsonpackages/router/package.jsonpackages/supertest/package.jsonpackages/tsconfig/package.jsonpackages/utils/package.jsonplugins/development/package.jsonplugins/i18n/package.jsonplugins/jsonp/package.jsonplugins/logrotator/package.jsonplugins/mock/package.jsonplugins/multipart/package.jsonplugins/onerror/package.jsonplugins/redis/package.jsonplugins/schedule/package.jsonplugins/security/package.jsonplugins/session/package.jsonplugins/static/package.jsonplugins/tracer/package.jsonplugins/typebox-validate/package.jsonplugins/view-nunjucks/package.jsonplugins/view/package.jsonplugins/watcher/package.jsontegg/core/ajv-decorator/package.jsontegg/core/aop-decorator/package.jsontegg/core/aop-runtime/package.jsontegg/core/background-task/package.jsontegg/core/common-util/package.jsontegg/core/controller-decorator/package.jsontegg/core/core-decorator/package.jsontegg/core/dal-decorator/package.jsontegg/core/dal-runtime/package.jsontegg/core/dynamic-inject-runtime/package.jsontegg/core/dynamic-inject/package.jsontegg/core/eventbus-decorator/package.jsontegg/core/eventbus-runtime/package.jsontegg/core/langchain-decorator/package.jsontegg/core/lifecycle/package.jsontegg/core/loader/package.jsontegg/core/mcp-client/package.jsontegg/core/metadata/package.jsontegg/core/orm-decorator/package.jsontegg/core/runtime/package.jsontegg/core/schedule-decorator/package.jsontegg/core/standalone-decorator/package.jsontegg/core/tegg/package.jsontegg/core/transaction-decorator/package.jsontegg/core/types/package.jsontegg/core/vitest/package.jsontegg/plugin/ajv/package.jsontegg/plugin/aop/package.jsontegg/plugin/common/package.jsontegg/plugin/config/package.jsontegg/plugin/controller/package.jsontegg/plugin/dal/package.jsontegg/plugin/eventbus/package.jsontegg/plugin/langchain/package.jsontegg/plugin/mcp-client/package.jsontegg/plugin/mcp-proxy/package.jsontegg/plugin/orm/package.jsontegg/plugin/schedule/package.jsontegg/plugin/tegg/package.jsontegg/standalone/standalone/package.jsontools/create-egg/package.jsontools/egg-bin/package.jsontools/scripts/package.json
✅ Files skipped from review due to trivial changes (38)
- plugins/security/package.json
- tegg/plugin/tegg/package.json
- tegg/core/dynamic-inject-runtime/package.json
- plugins/watcher/package.json
- tegg/plugin/common/package.json
- tegg/plugin/eventbus/package.json
- plugins/static/package.json
- packages/supertest/package.json
- tegg/core/langchain-decorator/package.json
- plugins/jsonp/package.json
- tegg/core/aop-decorator/package.json
- tegg/core/vitest/package.json
- tools/scripts/package.json
- tegg/core/eventbus-decorator/package.json
- tegg/core/common-util/package.json
- tegg/plugin/config/package.json
- packages/utils/package.json
- plugins/multipart/package.json
- plugins/onerror/package.json
- tegg/core/standalone-decorator/package.json
- tegg/plugin/ajv/package.json
- packages/errors/package.json
- tegg/plugin/mcp-client/package.json
- tegg/plugin/langchain/package.json
- tools/create-egg/package.json
- packages/cookies/package.json
- tegg/plugin/orm/package.json
- tegg/core/types/package.json
- tegg/core/mcp-client/package.json
- tegg/core/runtime/package.json
- tegg/core/loader/package.json
- package.json
- tegg/core/background-task/package.json
- packages/extend2/package.json
- plugins/view/package.json
- plugins/session/package.json
- packages/koa-static-cache/package.json
- plugins/typebox-validate/package.json
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 129-135: The publish commands use "pnpm -r publish ... || tail -n
100 ~/.npm/_logs/*.log" which can return success if tail succeeds, masking
failures; change each branch to run the publish and on failure print logs and
then exit non‑zero, e.g. replace "pnpm -r publish ... || tail -n 100
~/.npm/_logs/*.log" with a compound fallback that prints the logs and then exits
(for example: "pnpm -r publish ... || { tail -n 100 ~/.npm/_logs/*.log; exit 1;
}") so the workflow fails when the publish ("pnpm -r publish") fails.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
tegg/plugin/mcp-client/package.json (1)
57-57: 🛠️ Refactor suggestion | 🟠 Major
@modelcontextprotocol/sdkshould usecatalog:rather than an inline version pin.Same issue as in
tegg/core/mcp-client/package.json. Once the package is added to the workspace catalog (see that file's comment), replace the pin here too.♻️ Proposed fix
- "@modelcontextprotocol/sdk": "^1.23.0", + "@modelcontextprotocol/sdk": "catalog:",As per coding guidelines: "Use 'workspace:*' for internal package dependencies and 'catalog:' for external dependencies defined in pnpm-workspace.yaml."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tegg/plugin/mcp-client/package.json` at line 57, Replace the inline version pin for the dependency "@modelcontextprotocol/sdk" with a catalog reference; specifically update the dependency entry that currently reads "@modelcontextprotocol/sdk": "<version>" to use "catalog:`@modelcontextprotocol/sdk`" (i.e., set the version string to catalog:`@modelcontextprotocol/sdk`) so the package is resolved from the workspace catalog rather than a hard version pin.tegg/core/mcp-client/package.json (1)
52-53:⚠️ Potential issue | 🟡 MinorUse
catalog:for external dependencies@langchain/mcp-adaptersand@modelcontextprotocol/sdk.Both are pinned with inline semver ranges (
^1.0.0,^1.23.0) instead of thecatalog:protocol. All external dependency versions should be centralized inpnpm-workspace.yamland referenced ascatalog:here, consistent with other dependencies in this file likeurllib,@types/node,typescript, andvitest.♻️ Proposed fix
- "@langchain/mcp-adapters": "^1.0.0", - "@modelcontextprotocol/sdk": "^1.23.0", + "@langchain/mcp-adapters": "catalog:", + "@modelcontextprotocol/sdk": "catalog:",Also add entries to
pnpm-workspace.yamlcatalog section:"@langchain/mcp-adapters": "^1.0.0" "@modelcontextprotocol/sdk": "^1.23.0"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tegg/core/mcp-client/package.json` around lines 52 - 53, Replace the inline semver versions for the external deps in tegg/core/mcp-client/package.json by changing "@langchain/mcp-adapters": "^1.0.0" and "@modelcontextprotocol/sdk": "^1.23.0" to use the catalog protocol (e.g. "catalog:`@langchain/mcp-adapters`" and "catalog:`@modelcontextprotocol/sdk`") and then add matching entries to the pnpm-workspace.yaml catalog section mapping "@langchain/mcp-adapters" -> "^1.0.0" and "@modelcontextprotocol/sdk" -> "^1.23.0" so versions are centralized like the existing entries (e.g., urllib, `@types/node`, typescript, vitest).
🧹 Nitpick comments (2)
plugins/watcher/package.json (1)
65-72:@eggjs/utilsis listed in bothdependenciesanddevDependencies.Line 66 declares
@eggjs/utilsas a runtime dependency and line 72 duplicates it indevDependencies. ThedevDependenciesentry is redundant and should be removed to avoid confusion. Pre-existing issue, not introduced by this PR.Proposed fix
"devDependencies": { "@eggjs/mock": "workspace:*", - "@eggjs/utils": "workspace:*", "egg": "workspace:*", "typescript": "catalog:" },🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@plugins/watcher/package.json` around lines 65 - 72, The package.json currently lists "@eggjs/utils" under both "dependencies" and "devDependencies"; remove the redundant entry from the "devDependencies" section so "@eggjs/utils" remains declared only as a runtime dependency in "dependencies". Locate the duplicate string "@eggjs/utils" in the package.json diff (the key under "devDependencies") and delete that entry, leaving other devDependencies untouched.tegg/core/dynamic-inject-runtime/package.json (1)
61-63: Fix typo ineggModule.name:teggDyniamicInjectRuntime→teggDynamicInjectRuntime.The
"Dyniamic"has a typo and should be"Dynamic". This name doesn't appear to be referenced elsewhere in the codebase, but fixing it improves consistency with the actual package naming.Proposed fix
"eggModule": { - "name": "teggDyniamicInjectRuntime" + "name": "teggDynamicInjectRuntime" }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tegg/core/dynamic-inject-runtime/package.json` around lines 61 - 63, Update the eggModule.name value in package.json to correct the typo: change "teggDyniamicInjectRuntime" to "teggDynamicInjectRuntime" (adjust the "Dyniamic" -> "Dynamic") so the eggModule.name matches the package's intended naming; ensure you only modify the string value under the "eggModule" object and run a quick search to confirm no other occurrences need updating.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@tegg/core/mcp-client/package.json`:
- Around line 52-53: Replace the inline semver versions for the external deps in
tegg/core/mcp-client/package.json by changing "@langchain/mcp-adapters":
"^1.0.0" and "@modelcontextprotocol/sdk": "^1.23.0" to use the catalog protocol
(e.g. "catalog:`@langchain/mcp-adapters`" and "catalog:`@modelcontextprotocol/sdk`")
and then add matching entries to the pnpm-workspace.yaml catalog section mapping
"@langchain/mcp-adapters" -> "^1.0.0" and "@modelcontextprotocol/sdk" ->
"^1.23.0" so versions are centralized like the existing entries (e.g., urllib,
`@types/node`, typescript, vitest).
In `@tegg/plugin/mcp-client/package.json`:
- Line 57: Replace the inline version pin for the dependency
"@modelcontextprotocol/sdk" with a catalog reference; specifically update the
dependency entry that currently reads "@modelcontextprotocol/sdk": "<version>"
to use "catalog:`@modelcontextprotocol/sdk`" (i.e., set the version string to
catalog:`@modelcontextprotocol/sdk`) so the package is resolved from the workspace
catalog rather than a hard version pin.
---
Nitpick comments:
In `@plugins/watcher/package.json`:
- Around line 65-72: The package.json currently lists "@eggjs/utils" under both
"dependencies" and "devDependencies"; remove the redundant entry from the
"devDependencies" section so "@eggjs/utils" remains declared only as a runtime
dependency in "dependencies". Locate the duplicate string "@eggjs/utils" in the
package.json diff (the key under "devDependencies") and delete that entry,
leaving other devDependencies untouched.
In `@tegg/core/dynamic-inject-runtime/package.json`:
- Around line 61-63: Update the eggModule.name value in package.json to correct
the typo: change "teggDyniamicInjectRuntime" to "teggDynamicInjectRuntime"
(adjust the "Dyniamic" -> "Dynamic") so the eggModule.name matches the package's
intended naming; ensure you only modify the string value under the "eggModule"
object and run a quick search to confirm no other occurrences need updating.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (75)
package.jsonpackages/cluster/package.jsonpackages/cookies/package.jsonpackages/core/package.jsonpackages/egg/package.jsonpackages/errors/package.jsonpackages/extend2/package.jsonpackages/koa-static-cache/package.jsonpackages/koa/package.jsonpackages/logger/package.jsonpackages/path-matching/package.jsonpackages/router/package.jsonpackages/supertest/package.jsonpackages/tsconfig/package.jsonpackages/utils/package.jsonplugins/development/package.jsonplugins/i18n/package.jsonplugins/jsonp/package.jsonplugins/logrotator/package.jsonplugins/mock/package.jsonplugins/multipart/package.jsonplugins/onerror/package.jsonplugins/redis/package.jsonplugins/schedule/package.jsonplugins/security/package.jsonplugins/session/package.jsonplugins/static/package.jsonplugins/tracer/package.jsonplugins/typebox-validate/package.jsonplugins/view-nunjucks/package.jsonplugins/view/package.jsonplugins/watcher/package.jsontegg/core/ajv-decorator/package.jsontegg/core/aop-decorator/package.jsontegg/core/aop-runtime/package.jsontegg/core/background-task/package.jsontegg/core/common-util/package.jsontegg/core/controller-decorator/package.jsontegg/core/core-decorator/package.jsontegg/core/dal-decorator/package.jsontegg/core/dal-runtime/package.jsontegg/core/dynamic-inject-runtime/package.jsontegg/core/dynamic-inject/package.jsontegg/core/eventbus-decorator/package.jsontegg/core/eventbus-runtime/package.jsontegg/core/langchain-decorator/package.jsontegg/core/lifecycle/package.jsontegg/core/loader/package.jsontegg/core/mcp-client/package.jsontegg/core/metadata/package.jsontegg/core/orm-decorator/package.jsontegg/core/runtime/package.jsontegg/core/schedule-decorator/package.jsontegg/core/standalone-decorator/package.jsontegg/core/tegg/package.jsontegg/core/transaction-decorator/package.jsontegg/core/types/package.jsontegg/core/vitest/package.jsontegg/plugin/ajv/package.jsontegg/plugin/aop/package.jsontegg/plugin/common/package.jsontegg/plugin/config/package.jsontegg/plugin/controller/package.jsontegg/plugin/dal/package.jsontegg/plugin/eventbus/package.jsontegg/plugin/langchain/package.jsontegg/plugin/mcp-client/package.jsontegg/plugin/mcp-proxy/package.jsontegg/plugin/orm/package.jsontegg/plugin/schedule/package.jsontegg/plugin/tegg/package.jsontegg/standalone/standalone/package.jsontools/create-egg/package.jsontools/egg-bin/package.jsontools/scripts/package.json
✅ Files skipped from review due to trivial changes (5)
- tegg/core/vitest/package.json
- tegg/core/types/package.json
- tegg/plugin/orm/package.json
- tegg/core/dynamic-inject/package.json
- tegg/core/schedule-decorator/package.json
🚧 Files skipped from review as they are similar to previous changes (45)
- tegg/core/lifecycle/package.json
- tegg/core/common-util/package.json
- plugins/multipart/package.json
- tegg/core/tegg/package.json
- plugins/jsonp/package.json
- packages/cookies/package.json
- packages/path-matching/package.json
- tools/create-egg/package.json
- tegg/core/background-task/package.json
- tegg/plugin/common/package.json
- tegg/plugin/ajv/package.json
- tegg/plugin/langchain/package.json
- tegg/core/standalone-decorator/package.json
- plugins/onerror/package.json
- packages/egg/package.json
- tegg/core/langchain-decorator/package.json
- tegg/core/eventbus-decorator/package.json
- tegg/core/core-decorator/package.json
- plugins/redis/package.json
- packages/cluster/package.json
- tegg/standalone/standalone/package.json
- plugins/view-nunjucks/package.json
- tegg/core/transaction-decorator/package.json
- tegg/core/runtime/package.json
- tegg/core/aop-runtime/package.json
- packages/koa-static-cache/package.json
- packages/router/package.json
- tegg/plugin/schedule/package.json
- plugins/typebox-validate/package.json
- tegg/plugin/dal/package.json
- tegg/plugin/controller/package.json
- tegg/core/aop-decorator/package.json
- packages/supertest/package.json
- packages/extend2/package.json
- tegg/plugin/config/package.json
- tegg/core/orm-decorator/package.json
- plugins/i18n/package.json
- tegg/core/controller-decorator/package.json
- plugins/security/package.json
- tegg/core/dal-runtime/package.json
- plugins/tracer/package.json
- tegg/core/metadata/package.json
- tegg/core/loader/package.json
- tegg/plugin/mcp-proxy/package.json
- plugins/view/package.json
Switch from static npm tokens to OIDC-based trusted publishing. npm CLI auto-detects OIDC environment and uses short-lived tokens, eliminating the need for NODE_AUTH_TOKEN secret. Provenance attestation is automatically generated. Add --access public for new scoped packages. Requires configuring trusted publisher on npmjs.com for each package. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
killagu
force-pushed
the
fix/release-provenance
branch
from
c0114ec to
ce10c18
Compare
Summary
NODE_AUTH_TOKENneeded--access publicfor automatic first-time publishing of new scoped packagesRequired npm configuration
Each package needs trusted publisher configured on npmjs.com:
eggjs, Repository:egg, Workflow:release.ymlTest plan
🤖 Generated with Claude Code
Summary by CodeRabbit