chore: Adopt e18e publishing practices (OIDC trusted publishing + provenance) (v5)#405
Merged
Conversation
|
|
commit: |
📊 Package size report -0.02%↓
Unchanged files
🤖 This report was automatically generated by pkg-size-action |
csandman
changed the title
This was referenced May 14, 2026
csandman
added a commit
that referenced
this pull request
May 16, 2026
* docs: fill out SECURITY.md with a real policy Replace the GitHub-templated stub with a project-specific policy: support matrix tied to the @chakra-ui/react major peer (v5/v6 supported, v4 and earlier not), private reporting via GitHub Security Advisories, and pointers to react-select / Chakra UI for upstream issues. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Downgrade the codemod types/node package to match the installed version of node * chore: Port the v5 publish workflow to main Adopts the e18e publishing recommendations on main, mirroring the v5 setup from #405: - Add .github/workflows/publish.yml with the three-job test → build → publish flow. OIDC trusted publishing with provenance attestations; no npm tokens. Top-level permissions: {}, persist-credentials: false, pinned action SHAs, --ignore-scripts on install, Node 24 throughout. - Replace v5's hardcoded --tag chakra2 with a conditional: stable releases publish to `latest`, GitHub-flagged prereleases publish to `next`. - Add `pnpm test` to the test job (v5 omitted it because the test suite didn't exist there yet; on main it does). - Drop `prepublishOnly` and `postpublish` from package.json — CI publishes from a pre-built tarball, and the equivalent gating now lives in the publish workflow's test job. - Drop `.npmrc ignore-scripts=true`. pnpm's `allowBuilds` whitelist (pnpm-workspace.yaml) already gates dependency install scripts with finer granularity, and the publish workflow passes --ignore-scripts to `pnpm install` explicitly. Removing the blanket flag lets husky's `prepare` script run automatically on fresh installs. - Update CONTRIBUTING.md to reflect the install-scripts model change, and remove the now-obsolete .npmrc → ini files.associations entry from .vscode/settings.json. Before the first publish from main, the GitHub `publish` environment will need `main` added to its allowed-branches list alongside `v5`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopts the e18e publishing recommendations on
v5so this branch can publish under thechakra2dist-tag from a hardened, isolated CI workflow with OIDC trusted publishing and provenance attestations — no npm tokens, no local credentials.This is being landed on
v5first so it can be verified end-to-end before being duplicated tomain.What changes
.github/workflows/publish.yml(new)A three-job publish workflow scaffolded from
@e18e/setup-publish(--template default --env publish) and adapted to pnpm. Triggered onrelease: publishedto preserve the current "create a GitHub release in the UI → publish" flow.test— installs (with--ignore-scripts), runslint:src,lint:types,build,lint:exports(attw), andlint:publish(publint).build— installs, builds, alignspackage.jsonversion to the release tag,npm packs a tarball, uploads it as an artifact. No publish credentials in this job.publish—needs: [test, build]. Downloads the tarball and runsnpm publish --provenance --access public --tag chakra2 <tarball>. This is the only job withid-token: write. Scoped to thepublishGitHub Environment for an approval gate.Security baseline (per e18e):
permissions: {}, every job opts in minimally.persist-credentials: falseon checkout.--ignore-scriptson install in CI.id-token: write.The
--tag chakra2flag is the only v5-specific bit. When this is later mirrored tomain, that's the line that changes..npmrc(new)ignore-scripts=trueDefense-in-depth against malicious lifecycle scripts in transitive deps during local installs. See npm docs on ignore-scripts and the e18e supply-chain note.
Side effect: husky's
preparescript won't auto-run on fresh installs — CONTRIBUTING.md updated with a one-line setup note (pnpm install && pnpm prepareon fresh clone; subsequent installs work as normal because git'score.hooksPathis already set).package.jsonpostpublish: "git push --tags"— CI publishes don't (and shouldn't) push tags; the user pushes tags as part ofpnpm version+git push --follow-tags.prepublishOnly: "pnpm build && pnpm lint"— CI publishes from a pre-built tarball, which doesn't run local lifecycle scripts; and.npmrc'signore-scripts=truewould suppress it anyway. It was vestigial.lint:publish: "publint"script andpublintdevDep — catches commonpackage.json/exportsmisconfigurations before publish, complementing the existingattwcheck..vscode/settings.json.npmrcwith theinilanguage (otherwise some VS Code configurations detect it as JSON).CONTRIBUTING.mdpnpm preparestep on fresh clones, with a brief explanation.Manual setup required before first publish
These are configured outside the repo and are not part of this PR's diff. All four must be in place before the workflow can publish successfully:
csandman/chakra-react-select, workflowpublish.yml, environmentpublish. Immutable releases enabled.publish— restricted to branchv5, with me as a required reviewer (gives a 2FA-gated approval on every publish).v*— restricts tag creation to admins.Release flow after merge
Effectively the same as today, plus an approval click:
pnpm version <patch|minor|major>onv5→git push --follow-tags origin v5.Publish to npmworkflow fires. You'll get a GitHub notification to approve thepublishenvironment deployment.chakra2dist-tag with a provenance attestation;latestuntouched.Verification plan
End-to-end dry-run on this branch's first release after merge:
testandbuildjobs pass.publishjob pauses for environment approval.npm publish --provenance --tag chakra2succeeds with no token configured.npm dist-tag ls chakra-react-selectshowschakra2pointing at the new version,latestunchanged.npm view chakra-react-select@<version> --jsonshowsdist.attestationspopulated.Replication to
main(out of scope here)Once verified on
v5, copy .github/workflows/publish.yml tomainwith these adjustments:--tag chakra2(or restore the e18e template'sprerelease ? --tag nextconditional).mainto thepublishenvironment's allowed branches in the GitHub UI.Resources
Test plan
lint,pkg-pr,zizmor,package-size-reportworkflows pass on this PR.pnpm version patch→5.1.1) and walk through the verification checklist above.chakra2dist-tag updated andlatestunchanged on npmjs.com.🤖 Generated with Claude Code