-
Notifications
You must be signed in to change notification settings - Fork 3
Fiddle: update to use OIDC for npm publishing #236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -10,9 +10,11 @@ concurrency: | |||||||||
| jobs: | ||||||||||
| deploy-package: | ||||||||||
| runs-on: ubuntu-latest | ||||||||||
| permissions: | ||||||||||
| contents: read | ||||||||||
| id-token: write # Required for OIDC authentication with npm | ||||||||||
| env: | ||||||||||
| DOCKER_IMAGE: package | ||||||||||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||||||||||
| steps: | ||||||||||
| - name: Check out the repo | ||||||||||
| uses: actions/checkout@v4 | ||||||||||
|
|
@@ -32,14 +34,24 @@ jobs: | |||||||||
| - name: Calculate commit count since last tag | ||||||||||
| id: vars | ||||||||||
| run: echo ::set-output name=commit_count::$(git rev-list $(git describe --tags --abbrev=0)..HEAD --count) | ||||||||||
| - name: Create .npmrc file | ||||||||||
| run: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc | ||||||||||
| - name: Extract built package from Docker | ||||||||||
| run: | | ||||||||||
| docker create --name temp-container $DOCKER_IMAGE | ||||||||||
| docker cp temp-container:/app/. ./ | ||||||||||
| docker rm temp-container | ||||||||||
| - name: Setup Node.js | ||||||||||
| uses: actions/setup-node@v4 | ||||||||||
| with: | ||||||||||
| node-version: '20' | ||||||||||
| registry-url: 'https://registry.npmjs.org' | ||||||||||
| - name: Update npm to latest | ||||||||||
| run: npm install -g npm@latest | ||||||||||
|
Comment on lines
+47
to
+48
|
||||||||||
| - name: Update npm to latest | |
| run: npm install -g npm@latest | |
| - name: Update npm to specific version | |
| run: npm install -g npm@10.9.2 |
Copilot
AI
Dec 10, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using OIDC authentication with npm, it's recommended to add the --provenance flag to enable npm provenance attestations. This provides better supply chain security by linking the published package to its source.
If kiba-publish supports it, consider adding the --provenance flag or ensuring it's passed through to the underlying npm publish command.
Copilot
AI
Dec 10, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After extracting files from Docker with docker cp temp-container:/app/. ./, the node_modules directory from the Docker container will be in the workspace. However, the subsequent npx commands will try to use these modules which were built for the Docker environment (node:24.11.1) but are now running in the GitHub Actions environment with Node 20.
This could lead to binary incompatibility issues if there are any native modules. Consider either:
- Running
npm installafter extraction to ensure modules are compatible with the GitHub Actions environment - Only extracting the
distfolder and necessary files, then runningnpm installto get fresh dependencies - Running the publish commands inside the Docker container as was done previously
Copilot
AI
Dec 10, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The npm publish command is missing the --provenance flag which is recommended when using OIDC authentication. This flag ensures that provenance attestations are generated and published, providing better supply chain security and transparency.
Add the --provenance flag:
run: npm publish --provenance| run: npm publish | |
| run: npm publish --provenance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Docker extraction step copies all files from the container to the current directory, which could potentially overwrite important files like
.git,.github, or the workflow files themselves. This is particularly risky since the checkout includes the full git history (fetch-depth: 0).Consider extracting only the necessary built artifacts:
Or extract to a temporary directory first and then copy only what's needed.