docs(readme): document NPM_CONFIG_FILE recommendations + token bootstrap setup#22
Merged
Merged
Conversation
…rap setup Surface the recommended hardened `.npmrc` contents (per-line rationale) and the token bootstrap auth setup as Security subsections: NPM_PACKAGE_REGISTRY_TOKEN + NPM_EXTRA_CONFIG secrets needed to publish the first version of a new scoped package, why npm publish is used on that path, migration token to OIDC after first publish. Clarify in the Environment intro that every npm-publish-related value is a secret (encrypted), not a GitHub var. Extend the wire-up example with the NPM_EXTRA_CONFIG forward so the bootstrap setup works out of the box. Bumps 0.1.11 to 0.1.12 and prepends the changelog entry.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Document the recommended hardened
NPM_CONFIG_FILE.npmrcand the token bootstrap auth setup as Security subsections in the README. Reflects the v0.1.11 token-path hardening.Recommended NPM_CONFIG_FILE contentssubsection: the canonical 7-line.npmrcwith per-line rationale (save-exact,fund=false,audit=false,ignore-scripts=true,package-lock=false,prefer-online=true).Publish — OIDC vs token bootstrapsubsection: explains the auto-detect logic, the OIDC default, the token bootstrap setup (NPM_PACKAGE_REGISTRY_TOKEN+NPM_EXTRA_CONFIGsecrets needed for first publish), whynpm publishis used on that path, and the post-first-publish migration to OIDC + provenance.var.NPM_EXTRA_CONFIGis now forwarded so the bootstrap setup works out of the box, with an inline comment noting both secrets are dropped after npm Trusted Publisher is configured.Stacking
Based on
fix/npm-publish-ignore-scripts(#20). GitHub will auto-retarget tomainonce #20 merges.Test plan
## Securityblock.package.jsonversion bump (0.1.11 → 0.1.12) consistent with the rest of the release flow.actionlint+yamllintexit 0.