Skip to content

chore: configure npm trusted publishing #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
3w36zj6 merged 11 commits into from
Jan 1, 2026
Merged

chore: configure npm trusted publishing #26

3w36zj6 merged 11 commits into from
Jan 1, 2026
+76 −16

Conversation

@3w36zj6
Copy link
Member

@3w36zj6 3w36zj6 commented Dec 31, 2025

@3w36zj6 3w36zj6 requested a review from Copilot December 31, 2025 23:20
Copilot AI reviewed Dec 31, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR configures npm trusted publishing using OpenID Connect (OIDC) authentication, enhancing security by eliminating the need for long-lived NPM_TOKEN secrets. The changes also improve GitHub Actions security posture by pinning actions to commit SHAs, adding explicit permission controls, and introducing automated security linting tools.

Key changes:

  • Migrated npm publishing from token-based authentication to OIDC trusted publishing
  • Pinned all GitHub Actions to specific commit SHAs for supply chain security
  • Added GitHub Actions security linting tools (actionlint, ghalint, zizmor) with toolchain configuration

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.tool-versions Added security linting tools (pinact, zizmor, actionlint, ghalint) and reformatted for better alignment
.github/workflows/publish.yaml Configured OIDC permissions, pinned actions to commit SHAs, removed NPM_TOKEN secret dependency, added timeouts and security settings
.github/workflows/ci.yaml Pinned actions to commit SHAs, added explicit permissions, timeouts, persist-credentials: false, and new github-actions security linting job

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/publish.yaml Outdated
bun-version-file: ".tool-versions"
- run: bun install --frozen-lockfile
- run: npm run build
- run: npm publish
Copy link

Copilot AI Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The provenance option should be explicitly set to true when using npm trusted publishing with OIDC. Add 'provenance: true' to the npm publish command to ensure package provenance is generated and published.

Suggested change
- run: npm publish
- run: npm publish --provenance

Copilot uses AI. Check for mistakes.
@3w36zj6 3w36zj6 requested a review from Copilot December 31, 2025 23:28
Copilot AI reviewed Dec 31, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@3w36zj6 3w36zj6 merged commit 0fc8183 into main Jan 1, 2026
13 checks passed
@3w36zj6 3w36zj6 deleted the feature/configure-npm-trusted-publishing branch January 1, 2026 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@3w36zj6