Use trusted publishers #1095
Description
Background
https://docs.npmjs.com/trusted-publishers is available, however semantic-release/npm#958 (comment) (it's in beta)
The current approach relies on a short-lived token that expires soon.
Request
Use trusted publishers.
Initial attempt #1092, however this requires some work with the Synthetics team, cc
@emilioalvap , @vigneshshanmugam
Caveats
Trusted publishers don't allow multiple GitHub workflows:
- https://github.com/elastic/synthetics/actions/workflows/release.yml
- https://github.com/elastic/synthetics/actions/workflows/dist-tag.yml
Therefore, it's required to combine both in a single workflow
Semantic-release support for trusted in beta
See semantic-release/npm#958 (comment)
semantic-release needs to be updated
$ npm install semantic-release@beta
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '[email protected]',
npm WARN EBADENGINE required: { node: '^22.14.0 || >= 24.10.0' },
npm WARN EBADENGINE current: { node: 'v20.12.2', npm: '10.5.0' }
npm WARN EBADENGINE }
...Why
Secure our posture when releasing NPM packages.
Draft PR:
Metadata
Metadata
Assignees
Labels
No labels