Skip to content

NPM workflow: Used trusted publishing #2700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rebeccahum merged 1 commit into from
Jan 21, 2026
Merged

NPM workflow: Used trusted publishing #2700

rebeccahum merged 1 commit into from
Jan 21, 2026

Conversation

@rebeccahum
Copy link
Contributor

@rebeccahum rebeccahum commented Jan 20, 2026

No description provided.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 20, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/Automattic/vip-actions/npm-publish 0.7.3 UnknownUnknown

Scanned Files

  • .github/workflows/npm-publish.yml

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2026
View reviewed changes
.github/workflows/npm-prepare-release.yml

- name: Run npm-prepare-release
uses: Automattic/vip-actions/npm-prepare-release@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk
uses: Automattic/vip-actions/npm-prepare-release@v0.7.3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Prepare a new npm release' step
Uses Step
Loading
uses 'Automattic/vip-actions/npm-prepare-release' with ref 'v0.7.3', not a pinned commit hash
.github/workflows/npm-publish-prerelease.yml
pull-requests: write
steps:
- uses: Automattic/vip-actions/npm-publish-prerelease@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk
- uses: Automattic/vip-actions/npm-publish@v0.7.3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Publish prerelease to npm' step
Uses Step
Loading
uses 'Automattic/vip-actions/npm-publish' with ref 'v0.7.3', not a pinned commit hash
.github/workflows/npm-publish.yml
pull-requests: write
steps:
- uses: Automattic/vip-actions/npm-publish@1137b91acf0f5ea4e0db044bcf14ceabed9b068f # trunk
- uses: Automattic/vip-actions/npm-publish@v0.7.3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Publish to npm (if applicable)' step
Uses Step
Loading
uses 'Automattic/vip-actions/npm-publish' with ref 'v0.7.3', not a pinned commit hash
@rebeccahum rebeccahum marked this pull request as ready for review January 20, 2026 20:10
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@rebeccahum rebeccahum requested a review from a team January 20, 2026 20:13
@rebeccahum rebeccahum merged commit cac072a into trunk Jan 21, 2026
19 checks passed
@rebeccahum rebeccahum deleted the update-npm-workflow branch January 21, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luiztiago luiztiago luiztiago approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rebeccahum @luiztiago