From f2f3ec0c5cdd8f19b222cf08359c0e53d1abac33 Mon Sep 17 00:00:00 2001 From: Chenxiang Zhang Date: Wed, 29 Oct 2025 10:24:59 -0400 Subject: [PATCH] Update releasing.md on how to rotate npm tokens --- RELEASING.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/RELEASING.md b/RELEASING.md index 19d961fd3..d802eec80 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -80,3 +80,42 @@ yarn release Feature branches are automatically released under: - `http://cdn.segment.com/analytics-next/br///standalone.js.gz` + +## NPM Token Management + +### How to Rotate/Update NPM Tokens + +The repository uses an NPM token stored in GitHub Actions secrets (`NPM_TOKEN`) to publish packages automatically. Due to npm's security updates, tokens now have a maximum 90-day lifetime and classic tokens will be revoked. You should use **Granular Access Tokens** for better security. + +#### Creating a New NPM Token + +1. **Generate a new token at npm**: + - Go to https://www.npmjs.com/settings/YOUR_USERNAME/tokens + - Click "Generate New Token" → "Granular Access Token" + - Configure the token: + - **Token Name**: Something descriptive like "analytics-next-ci" + - **Expiration**: 90 days (maximum) + - **Permissions**: Select "Read and write" + - **Packages and scopes**: Select packages in `@segment` organization + - Copy the token (starts with `npm_`) + +2. **Test the token locally**: + ```bash + # Add token to your ~/.npmrc + echo "//registry.npmjs.org/:_authToken=YOUR_NEW_TOKEN" > ~/.npmrc + + # Verify authentication + npm whoami + + # Build packages + yarn build + + # Test dry-run publish (doesn't actually publish) + cd packages/core && npm publish --dry-run + cd ../browser && npm publish --dry-run + cd ../node && npm publish --dry-run + ``` + +3. **Update GitHub Actions Secret**: + - Go to: https://github.com/segmentio/analytics-next/settings/secrets/actions + - Update secret for `NPM_TOKEN` \ No newline at end of file