Skip to content

Add trusted publishing #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 3, 2025
Merged

Add trusted publishing #60

merged 3 commits into from
Aug 3, 2025

Conversation

martincostello
Copy link
Member

@martincostello martincostello commented Aug 3, 2025
edited
Loading

  • Publish to npmjs.org from tags using npm trusted publishing.
  • Pin GitHub Actions by Git SHA.
  • Refactor permissions.
  • Bump version to 9.0.1.

@martincostello
Run npm audit fix
2343ecc 
Run `npm audit fix` to resolve a vulnerability.
@martincostello
Add trusted publishing
c219baf 
- Publish to npmjs.org from tags.
- Pin GitHub Actions by Git SHA.
- Refactor permissions.
@martincostello
Bump version
96dc5ce 
Bump version to 9.0.1.
@martincostello martincostello added enhancement dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 3, 2025
@martincostello martincostello marked this pull request as ready for review August 3, 2025 08:07
@Copilot Copilot AI review requested due to automatic review settings August 3, 2025 08:07
@martincostello martincostello merged commit 474a957 into dev Aug 3, 2025
1 check passed
Copilot
Copilot AI reviewed Aug 3, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements npm trusted publishing for automated package releases and improves CI security practices. The changes enable publishing to npmjs.org from tagged releases using GitHub's OIDC-based trusted publishing feature, while also pinning GitHub Actions to specific commit SHAs for enhanced security.

  • Adds npm trusted publishing workflow triggered by Git tags
  • Pins GitHub Actions to specific commit SHAs for security
  • Updates package version to 9.0.1

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
package.json Bumps version from 9.0.0 to 9.0.1
.github/workflows/build.yml Adds trusted publishing setup, pins actions to SHAs, and configures tag-based publishing
Comments suppressed due to low confidence (1)

.github/workflows/build.yml:54

  • The 'Publish' step has incorrect indentation. It should be aligned with other job steps, not nested under the 'Test' step.
    - name: Publish

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file enhancement javascript Pull requests that update javascript code
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martincostello