feat: lock publish to OIDC and a protected GitHub Environment#6
Merged
TheCryptoDonkey merged 1 commit intomainfrom Apr 23, 2026
Merged
Conversation
Two orthogonal defences that complement the verify-lifecycle-scripts gate added in 0.9.0: 1. publish-npm refuses legacy npm token auth. Fails if NPM_TOKEN, NODE_AUTH_TOKEN, NPM_CONFIG_PROVENANCE, or _authToken/_auth/_password material in .npmrc is present at publish time. Also enforces publishConfig.provenance: true in package.json rather than relying on a CLI flag. Closes the "maintainer leaves a long-lived token lying around" hole even after OIDC is configured. 2. release.yml attaches the publish job to the npm-publish GitHub Environment by default, exposed via the publish-environment input. Consumers configure protection rules (required reviewers, prevent self-review, branch/tag restrictions) in that environment and bind npm trusted publishing to the same name, so OIDC publish cannot mint a token without going through the reviewer gate. Migration guides, trusted-publisher README, and comparison doc all updated to reflect the new npm-publish environment value. THREAT-MODEL gains two rows under "defended against".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two orthogonal defences that complement the
verify-lifecycle-scriptsgate shipped in 0.9.0 (PR #5):publish-npmnow fails ifNPM_TOKEN,NODE_AUTH_TOKEN,NPM_CONFIG_PROVENANCE, or_authToken/_auth/_passwordmaterial in.npmrcis present at publish time.publishConfig.provenance: trueis enforced via package.json rather than a--provenanceCLI flag (npm 11.6+ short-circuits toENEEDAUTHwhen the flag is passed). Closes the "maintainer left a long-lived token in the release job" hole even after trusted publishing is configured.release.ymlattaches the publish job to thenpm-publishGitHub Environment by default, exposed via a newpublish-environmentinput. Consumers configure protection rules (required reviewers, prevent self-review, branch/tag restrictions) in that environment and bind npm trusted publishing to the same name, so OIDC publish cannot mint a token without going through the reviewer gate.Migration guides, trusted-publisher README, and comparison doc updated to reflect the new
npm-publishenvironment value.THREAT-MODELgains two new rows under "defended against".Test plan
npx bats test/*.bats— 144 / 144 pass (130 pre-existing + 11verify-lifecycle-scripts+ 3 new OIDC-enforcement tests)publishConfig.provenance: trueis still the only provenance driver in the release flow