From 9f80a48237a9c6e92e6734c30bb7a67c1c9ec6d0 Mon Sep 17 00:00:00 2001 From: Reggi Date: Mon, 22 Sep 2025 10:57:48 -0400 Subject: [PATCH 1/2] Add line about `workflow_call` --- .../securing-your-code/trusted-publishers.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index c5cfa40a68d..8dec73940f4 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -278,6 +278,8 @@ If your package has private dependencies and `npm install` or `npm ci` is failin For packages in private repositories, provenance will not be generated even though you're using trusted publishing. This is a [known limitation](https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/) that applies regardless of whether your package itself is public or private. +When using GitHub Actions, some users run the actual `npm publish` command via `workflow_call` — i.e., a workflow calls another workflow that contains the `npm publish` command. As a result, workflow-name validation is performed against the calling (parent) workflow that was executed, not the called (callee) workflow. + ## Limitations and future improvements Trusted publishing currently supports only cloud-hosted runners. Support for self-hosted runners is intended for a future release. Each package can only have one trusted publisher configured at a time, though you can update this configuration as needed. From 80182611f2f9a6feb2e8a7883d8c770a121b5dd1 Mon Sep 17 00:00:00 2001 From: Reggi Date: Mon, 22 Sep 2025 11:09:52 -0400 Subject: [PATCH 2/2] Update trusted publishers documentation Clarify GitHub Actions workflow behavior for npm publish. --- .../securing-your-code/trusted-publishers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index 8dec73940f4..57847d844e6 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -278,7 +278,7 @@ If your package has private dependencies and `npm install` or `npm ci` is failin For packages in private repositories, provenance will not be generated even though you're using trusted publishing. This is a [known limitation](https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/) that applies regardless of whether your package itself is public or private. -When using GitHub Actions, some users run the actual `npm publish` command via `workflow_call` — i.e., a workflow calls another workflow that contains the `npm publish` command. As a result, workflow-name validation is performed against the calling (parent) workflow that was executed, not the called (callee) workflow. +Some GitHub Actions workflows use `workflow_call` to invoke other workflows that run `npm publish`, or use `workflow_dispatch` for manual publishing. When this happens, validation checks the calling workflow's name instead of the workflow that actually contains the publish command, which can cause configuration mismatches. ## Limitations and future improvements