Conversation
- Add id-token: write permission for OIDC authentication - Remove NODE_AUTH_TOKEN secret dependency - Add --provenance flag to enable provenance attestation - Remove always-auth (not needed with OIDC) - Fix checkout ref to handle workflow_dispatch inputs NPM Trusted Publishers uses OIDC to establish trust between GitHub Actions and npm, eliminating the need for long-lived npm tokens stored as repository secrets. Co-authored-by: georgeb <georgeb@bentimagelab.com>
|
Cursor Agent can help with this pull request. Just |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
gblikas
left a comment
gblikas
left a comment
There was a problem hiding this comment.
Upgrades to NPM trusted publishing
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: pnpm publish --no-git-checks --access public | ||
| - name: Publish package to npmjs with provenance | ||
| run: pnpm publish --no-git-checks --access public --provenance |
There was a problem hiding this comment.
pnpm version 8 may not support provenance
High Severity
The workflow uses pnpm publish --provenance with pnpm version 8, but pnpm may not fully support the --provenance flag in that version. This could cause the publish step to fail with an unrecognized flag error, or publish without generating provenance attestations, defeating the purpose of this upgrade. The --provenance feature is specific to npm and may require a newer pnpm version or explicit compatibility verification.
Additional Locations (1)
2 participants
Upgrade
publish.ymlto use NPM's Trusted Publishers for more secure, token-less publishing with provenance.Note
Moves npm publishing to NPM Trusted Publishers (OIDC) with provenance and improves tag handling.
id-token: writepermission and publishes with--provenanceNODE_AUTH_TOKEN,always-auth) in favor of OIDCactions/checkoutnow checks out${{ github.event.release.tag_name || inputs.tag }}to support manual dispatchWritten by Cursor Bugbot for commit b4cb5f1. Configure here.