chore: update NPM publishing #465
Conversation
ryjones
force-pushed
the
npm-publish
branch
from
a980fe1 to
6e73cf2
Compare
jwagantall
left a comment
jwagantall
left a comment
There was a problem hiding this comment.
LGTM overall but would be nice to have a maintainer double checking..
bestbeforetoday
left a comment
bestbeforetoday
left a comment
There was a problem hiding this comment.
The only changes in this commit actually required for npm publishing are:
- The explicit permissions for the
publishnpmjob. - Removal of the
NODE_AUTH_TOKENenvironment variable in the npm publishing step, since trusted publishing is used instead of an auth token.
An additional step does need to be added between the actions/setup-node and npm publish steps:
# Ensure npm 11.5.1 or later for trusted publishing support
- name: Update npm
run: npm install -g npm@latestThe npm version bundled with Node 18 does not support trusted publishing so the npm version needs to be updated explicitly. I believe that npm v11 requires Node version ^20.17.0 || >=22.9.0 so the Node version specified with actions/setup-node will need to be updated. I would suggest using node-version: "lts/*" to pick the latest LTS release.
I don't think we should change any of the other jobs in this workflow since they deal with Docker publishing rather than npm publishing.
.github/workflows/release.yaml
Outdated
| # ---- Global permissions for Trusted Publishing & attestations ---- | ||
| # id-token:write is required for OIDC (npm trusted publishing, keyless attestations) | ||
| # packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended) | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| attestations: write |
There was a problem hiding this comment.
Each of the jobs within the workflow defines required permissions so there is no need to define permissions for the workflow. It would be OK to define just read permission as a minimal default:
permissions:
contents: read
.github/workflows/release.yaml
Outdated
| find . -type f -name 'fabric-*.tgz' -exec npm publish {} \; | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| find . -type f -name 'fabric-*.tgz' -print0 | xargs -0 -I{} npm publish {} --provenance --access public |
There was a problem hiding this comment.
I don't think there is any need for this change. The --exec option to find already invokes the command for each match, without needing the additional xargs command. The --provenance option to npm publish is implicit when trusted publishing is used. The --access option is unnecessary since publishing retains the (default) public visibility of the currently published package.
ryjones
force-pushed
the
npm-publish
branch
3 times, most recently
from
4e3f801 to
cfc993b
Compare
|
@bestbeforetoday thanks - I think I have all of your feedback rolled into it |
ryjones
force-pushed
the
npm-publish
branch
2 times, most recently
from
5576a86 to
41edabe
Compare
bestbeforetoday
left a comment
bestbeforetoday
left a comment
There was a problem hiding this comment.
One functional issue and some minor tidy-up suggestions.
.github/workflows/release.yaml
Outdated
| # ---- Global permissions for Trusted Publishing & attestations ---- | ||
| # id-token:write is required for OIDC (npm trusted publishing, keyless attestations) | ||
| # packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended) |
There was a problem hiding this comment.
I suggest removing these comments since they do not match the permissions statements below.
.github/workflows/release.yaml
Outdated
| steps: | ||
| - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | ||
| with: | ||
| node-version: "18.x" |
There was a problem hiding this comment.
The latest versions of npm (in the following step) will not work with Node 18. I suggest the latest LTS release (currently 22 and soon to be 24).
| node-version: "18.x" | |
| node-version: "lts/*" |
.github/workflows/release.yaml
Outdated
| - run: | | ||
| - name: Publish packages with provenance (OIDC) | ||
| # No NODE_AUTH_TOKEN needed when Trusted Publishing is enabled. | ||
| # --provenance tells npm to attach SLSA provenance to the package. [oai_citation:1‡The GitHub Blog](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/?utm_source=chatgpt.com) |
There was a problem hiding this comment.
I suggest removing this comment line since --provenance is not specified in the command-line below.
fixes #464 Signed-off-by: Ry Jones <[email protected]>
|
@bestbeforetoday done |
fixes #464