Skip to content

chore: remove GH_PAT usage and NPM_TOKEN #4510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 26, 2025
Merged

chore: remove GH_PAT usage and NPM_TOKEN #4510

merged 2 commits into from
Nov 26, 2025
+67 −12

Conversation

@staaldraad
Copy link
Member

@staaldraad staaldraad commented Nov 25, 2025

What kind of change does this PR introduce?

CI/CD update

Additional context

All npm publishing must be done through Trusted Publisher. GH_PAT should not be used and a dedicated GitHub app with tightly scoped permissions is to be used instead.

@staaldraad
chore: remove GH_PAT usage and NPM_TOKEN
16c3114 
All npm publishing must be done through Trusted Publisher.
GH_PAT should not be used and a dedicated GitHub app with tightly scoped
permissions is to be used instead.
@staaldraad staaldraad requested a review from a team as a code owner November 25, 2025 15:15
@coveralls
Copy link

coveralls commented Nov 25, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19675985113

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 5 unchanged lines in 1 file lost coverage.
  • Overall coverage decreased (-0.03%) to 55.378%
Files with Coverage Reduction New Missed Lines %
internal/gen/keys/keys.go 5 12.9%
Totals Coverage Status
Change from base Build 19662004379: -0.03%
Covered Lines: 6662
Relevant Lines: 12030
💛 - Coveralls

sweatybridge
sweatybridge reviewed Nov 25, 2025
View reviewed changes
.github/workflows/tag-npm.yml
- run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
env:
RELEASE_TAG: ${{ inputs.release }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Copy link
Contributor

@sweatybridge sweatybridge Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious where is trusted publisher configured?

Copy link
Member Author

@staaldraad staaldraad Nov 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is configured in npmjs.com - busy setting it up with copple now (edit: configuration done)

.github/workflows/api-sync.yml Outdated
run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}"
env:
GH_TOKEN: ${{ secrets.GH_PAT }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Contributor

@sweatybridge sweatybridge Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need the app token here as well?

Copy link
Member Author

@staaldraad staaldraad Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, there has since been a setting change that allows Actions that are not from a on: or pull_request: trigger to create and approve PRs. Maybe merge isn't covered 🤔 - I can switch that to use the GitHub app too, probably safer

@sweatybridge sweatybridge merged commit 9f37d66 into develop Nov 26, 2025
11 of 12 checks passed
@sweatybridge sweatybridge deleted the etienne/trusted-publisher-workflow branch November 26, 2025 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sweatybridge sweatybridge sweatybridge approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@staaldraad @coveralls @sweatybridge