Skip to content

setup trusted publishers and provenance #7867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2025
Merged

setup trusted publishers and provenance #7867

merged 1 commit into from
Sep 10, 2025

Conversation

cometkim
Copy link
Member

@cometkim cometkim commented Sep 9, 2025

The largest supply chain attack has recently affected many popular packages. It was a simple phishing attack targeted the maintainer's account and 2FA token.

While this doesn't prevent attacks directly targeting maintainers, it does make package usage more secure.

  • Trusted publishers allow tokenless workflows via OIDC and prevent abuse of authorized maintainer access tokens.
  • Provenance allows you to verify that a version was published through a reviewed workflow.

administration guide:

  • Set up the trusted publisher first in the NPM package settings page. (I don't have permission, maybe @cknitt has?)
  • Disallow publishing via token, bypassing the 2FA.
  • Remove the NPM token from this repository's secrets.

@cometkim cometkim requested a review from cknitt September 9, 2025 19:10
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 9, 2025

Open in StackBlitz

rescript

npm i https://pkg.pr.new/rescript-lang/rescript@7867

@rescript/darwin-arm64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/darwin-arm64@7867

@rescript/darwin-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/darwin-x64@7867

@rescript/linux-arm64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/linux-arm64@7867

@rescript/linux-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/linux-x64@7867

@rescript/runtime

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/runtime@7867

@rescript/win32-x64

npm i https://pkg.pr.new/rescript-lang/rescript/@rescript/win32-x64@7867

commit: cc5393f

@cknitt
Copy link
Member

cknitt commented Sep 10, 2025

Remove the NPM token from this repository's secrets.

I think we can keep it until we have confirmed that the new workflow works fine (or even until it expires, it won't be accepted for publishing packages anymore anyway after the setting changes).

@cometkim
Copy link
Member Author

Please let me know if the workflow doesn't work. @cknitt Are you manually assigning the latest tag? That will need to be automated, too.

@cknitt
Copy link
Member

cknitt commented Sep 10, 2025

@cometkim Yes, currently assigning it manually, see https://github.com/rescript-lang/rescript/blob/master/CONTRIBUTING.md#release-process.

The idea was that we could test the newly released version first before switching it "live".

I think we can keep doing that though (not with a token, but with credentials and 2FA)?

What would be your suggestion for automation?

@cometkim
Copy link
Member Author

Manual publishing with 2FA is fine, but provenance is unavailable. I'm not sure if it also applies to the dist-tag command.
If necessary, it's not too difficult to create a custom workflow_dispatch trigger fot it.

@cometkim
Copy link
Member Author

Let's check it out in the next beta release. Let me know if the npm dist-tag add command fails.

@cometkim cometkim merged commit 34d78c4 into rescript-lang:master Sep 10, 2025
25 checks passed
@cometkim cometkim deleted the trusted-publish-ci branch September 10, 2025 20:27
@cometkim cometkim mentioned this pull request Sep 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cknitt cknitt cknitt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cometkim @cknitt