Skip to content

Commit f9cd4fc

Browse files
trentmtrentm
authored
release @elastic/[email protected]; switch to trusted publishing (#1063)
1 parent c23879a commit f9cd4fc

File tree

4 files changed

+14
-11
lines changed

4 files changed

+14
-11
lines changed

.github/workflows/release.yml

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,11 @@ on:
1414
- 'packages/opentelemetry-node/**'
1515
- '.github/workflows/release.yml'
1616

17-
# 'id-token' perm needed for npm publishing with provenance (see
18-
# https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow)
1917
permissions:
2018
attestations: write
2119
contents: write
2220
pull-requests: read
23-
id-token: write
21+
id-token: write # Required for OIDC and provenance (npm publish)
2422

2523
jobs:
2624
release:
@@ -34,8 +32,8 @@ jobs:
3432

3533
- uses: actions/setup-node@v5
3634
with:
37-
node-version: 'v18.20.2'
38-
registry-url: 'https://registry.npmjs.org'
35+
# Require npm 11.5.1 or later for https://docs.npmjs.com/trusted-publishers.
36+
node-version: 'v24.8.0'
3937

4038
# Setup a Docker "buildx" builder container, used by "build-push-action"
4139
# below for multi-platform image builds. Notes on multi-platform images:
@@ -87,10 +85,8 @@ jobs:
8785
- name: npm publish (only for tag releases)
8886
if: startsWith(github.ref, 'refs/tags')
8987
working-directory: ./packages/opentelemetry-node
88+
# https://docs.npmjs.com/trusted-publishers
9089
run: npm publish
91-
env:
92-
# https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry
93-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
9490

9591
- name: GitHub release (only for tag releases)
9692
if: startsWith(github.ref, 'refs/tags')

docs/release-notes/index.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,13 @@ To check for security updates, go to [Security announcements for the Elastic sta
2929
% ### Fixes [edot-node-X.X.X-fixes]
3030
% *
3131

32+
## 1.5.0 [edot-node-1.5.0-release-notes]
33+
34+
### Chores [edot-node-1.5.0-chores]
35+
36+
* Update to the latest upstream OpenTelemetry JS dependencies. ([#1062](https://github.com/elastic/elastic-otel-node/pull/1062))
37+
38+
* Switch to trusted publishing (https://docs.npmjs.com/trusted-publishers) as a security precaution against supply-chain attacks.
3239

3340
## 1.4.0 [edot-node-1.4.0-release-notes]
3441

packages/opentelemetry-node/package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/opentelemetry-node/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@elastic/opentelemetry-node",
3-
"version": "1.4.0",
3+
"version": "1.5.0",
44
"type": "commonjs",
55
"description": "Elastic Distribution of OpenTelemetry Node.js (EDOT Node.js)",
66
"publishConfig": {

0 commit comments

Comments
 (0)