Harden npm publish pipeline with OIDC trusted publishing#6
Conversation
Move releases off developer machines into a GitHub Actions workflow that publishes via npm trusted publishing (OIDC) with provenance, eliminating long-lived npm tokens. Also pin all GitHub Actions to commit SHAs and add Dependabot to keep them current. - New release.yml: runs on `release: published`, gated by `npm-publish` environment, verifies tag matches package.json version, publishes with `--provenance --access public`. No NPM_TOKEN. - ci.yml: pin actions to SHAs, add `persist-credentials: false` and `timeout-minutes: 15`. - package.json: add `publishConfig` with `provenance: true`. - README: replace manual publish checklist with new Releasing section covering the CI flow, rollback, and troubleshooting. Out-of-band steps (not in this commit) still required before the next release: configure npm Trusted Publisher, create the `npm-publish` GitHub Environment with master+v* restriction, enable branch protection, and reduce individual maintainer publish rights on npm once CI publishes work end-to-end. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
| - name: Upgrade npm (trusted publishing requires >= 11.5.1) | ||
| run: npm install -g npm@latest |
There was a problem hiding this comment.
Kept the npm upgrade, but narrowed it from npm@latest to npm@11. The current npm trusted-publishing docs still require npm CLI >=11.5.1, and this workflow uses Node 22, so I do not want to rely on the bundled npm being new enough: https://docs.npmjs.com/trusted-publishers
| - name: Upgrade npm (trusted publishing requires >= 11.5.1) | ||
| run: npm install -g npm@latest | ||
|
|
||
| - run: npm ci |
There was a problem hiding this comment.
ensure there is an npmrc that looks like this in the repo:
ignore-scripts=true
min-release-age=3
save-exact=true
There was a problem hiding this comment.
Added the repo .npmrc with those settings. Since ignore-scripts=true means the publish path should not rely on prepublishOnly, I also added an explicit npm run build before npm publish and verified the dry-run tarball includes dist.
| jobs: | ||
| publish: | ||
| runs-on: ubuntu-latest | ||
| environment: npm-publish |
There was a problem hiding this comment.
Leaving this in place as the GitHub Environment gate for the publish job. It lets us apply the npm-publish branch/tag restrictions outside the workflow.
There was a problem hiding this comment.
i assume this is from a bot? I was just commenting that its fancy
derekcicerone
left a comment
derekcicerone
left a comment
There was a problem hiding this comment.
looks good, just some small tweaks
robfig
force-pushed
the
robfig/npm-publish-hardening
branch
from
55751dd to
76d023b
Compare
2 participants
Summary
release.ymlGitHub Actions workflow that publishes via npm trusted publishing (OIDC) with provenance — no long-livedNPM_TOKENanywhere. Triggered byrelease: published, gated by annpm-publishGitHub Environment, with a tag-vs-package.jsonversion check before publish.ci.ymlandrelease.ymlto commit SHAs, addpersist-credentials: falseand a job timeout, and introduce.github/dependabot.ymlto keep the SHA pins current.publishConfig(access: public,provenance: true) topackage.jsonand replace the manual publish checklist in the README with a "Releasing" section covering the CI flow, rollback (npm deprecate), and troubleshooting.Out-of-band steps required before this can publish
These cannot be done in code — please complete on merge:
@roamhq/openclaw-roam(orgWonderInventions, repoopenclaw-roam, workflowrelease.yml, environmentnpm-publish).npm-publishGitHub Environment with deployment branches/tags restricted tomasterandv*(no required reviewers, per request).masterand reduce individual maintainer publish rights on npm after the first successful CI publish.Test plan
npm run typecheckcleannpm test— 139/139 passingnpm pack --dry-runclean (35 files, 54.3 kB)0.1.2-rc.0prerelease via the new flow and verify the green provenance badge on npmjs.com🤖 Generated with Claude Code