Fiddle: update to use OIDC for npm publishing#236
Conversation
There was a problem hiding this comment.
Pull request overview
This PR modernizes the npm publishing workflow by migrating from the legacy NPM_TOKEN secret-based authentication to OIDC (OpenID Connect) authentication, which is more secure and doesn't require managing long-lived tokens.
Key Changes:
- Adds OIDC permissions (
id-token: write) to enable GitHub Actions to authenticate with npm - Removes the NPM_TOKEN secret and .npmrc file creation
- Extracts the built package from Docker and runs publish commands directly in the GitHub Actions environment using Node.js 20
| - name: Publish package to npm | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| run: docker run -v $(pwd)/.npmrc:/root/.npmrc $DOCKER_IMAGE make publish | ||
| run: npm publish |
There was a problem hiding this comment.
The npm publish command is missing the --provenance flag which is recommended when using OIDC authentication. This flag ensures that provenance attestations are generated and published, providing better supply chain security and transparency.
Add the --provenance flag:
run: npm publish --provenance| run: npm publish | |
| run: npm publish --provenance |
| - name: Publish next package to npm | ||
| if: steps.vars.outputs.commit_count != '0' && github.ref == 'refs/heads/main' | ||
| run: docker run -v $(pwd)/.npmrc:/root/.npmrc $DOCKER_IMAGE make NEXT_VERSION=${{ steps.vars.outputs.commit_count }} publish-next | ||
| run: npx kiba-publish --next --next-version ${{ steps.vars.outputs.commit_count }} |
There was a problem hiding this comment.
When using OIDC authentication with npm, it's recommended to add the --provenance flag to enable npm provenance attestations. This provides better supply chain security by linking the published package to its source.
If kiba-publish supports it, consider adding the --provenance flag or ensuring it's passed through to the underlying npm publish command.
| - name: Extract built package from Docker | ||
| run: | | ||
| docker create --name temp-container $DOCKER_IMAGE | ||
| docker cp temp-container:/app/. ./ |
There was a problem hiding this comment.
The Docker extraction step copies all files from the container to the current directory, which could potentially overwrite important files like .git, .github, or the workflow files themselves. This is particularly risky since the checkout includes the full git history (fetch-depth: 0).
Consider extracting only the necessary built artifacts:
- name: Extract built package from Docker
run: |
docker create --name temp-container $DOCKER_IMAGE
docker cp temp-container:/app/dist ./dist
docker cp temp-container:/app/package.json ./package.json
docker rm temp-containerOr extract to a temporary directory first and then copy only what's needed.
| docker cp temp-container:/app/. ./ | |
| docker cp temp-container:/app/dist ./dist | |
| docker cp temp-container:/app/package.json ./package.json |
| - name: Extract built package from Docker | ||
| run: | | ||
| docker create --name temp-container $DOCKER_IMAGE | ||
| docker cp temp-container:/app/. ./ | ||
| docker rm temp-container | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Update npm to latest | ||
| run: npm install -g npm@latest | ||
| - name: Publish next package to npm | ||
| if: steps.vars.outputs.commit_count != '0' && github.ref == 'refs/heads/main' | ||
| run: docker run -v $(pwd)/.npmrc:/root/.npmrc $DOCKER_IMAGE make NEXT_VERSION=${{ steps.vars.outputs.commit_count }} publish-next | ||
| run: npx kiba-publish --next --next-version ${{ steps.vars.outputs.commit_count }} |
There was a problem hiding this comment.
After extracting files from Docker with docker cp temp-container:/app/. ./, the node_modules directory from the Docker container will be in the workspace. However, the subsequent npx commands will try to use these modules which were built for the Docker environment (node:24.11.1) but are now running in the GitHub Actions environment with Node 20.
This could lead to binary incompatibility issues if there are any native modules. Consider either:
- Running
npm installafter extraction to ensure modules are compatible with the GitHub Actions environment - Only extracting the
distfolder and necessary files, then runningnpm installto get fresh dependencies - Running the publish commands inside the Docker container as was done previously
| - name: Update npm to latest | ||
| run: npm install -g npm@latest |
There was a problem hiding this comment.
Updating npm to the latest version with npm install -g npm@latest could introduce breaking changes or unexpected behavior, especially since this is a critical deployment step.
Consider pinning to a specific npm version for reproducibility and stability:
run: npm install -g npm@10.9.2This ensures the deployment process is consistent across runs and won't break if a new npm version introduces issues.
| - name: Update npm to latest | |
| run: npm install -g npm@latest | |
| - name: Update npm to specific version | |
| run: npm install -g npm@10.9.2 |
Description
Screenshots:
Checklist: