Skip to content

Trusted publishers support #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kentcdodds merged 1 commit into from
Feb 6, 2026
Merged

Trusted publishers support #249

kentcdodds merged 1 commit into from
Feb 6, 2026
+7 −1

Conversation

@kentcdodds
Copy link
Owner

@kentcdodds kentcdodds commented Feb 6, 2026
edited by coderabbitai bot
Loading

What:
Updated the release job in validate.yml to support npm trusted publishers.

Why:
To enable publishing packages with provenance information using OIDC, enhancing security by removing the reliance on long-lived NPM_TOKEN secrets. This aligns with modern best practices for npm publishing.

How:

  • Added permissions to the release job, including id-token: write for OIDC.
  • Set NPM_CONFIG_PROVENANCE: 'true' in the release job's environment.
  • Removed NPM_TOKEN from the semantic-release-action step's environment.

Checklist:

  • [N/A] Documentation
  • [N/A] Tests
  • Ready to be merged

Open in Cursor Open in Web

Note

Medium Risk
Changes the release pipeline’s auth mechanism and permissions; misconfiguration could break publishing or broaden GitHub token capabilities, but scope is limited to CI.

Overview
Updates the GitHub Actions release job to publish via npm Trusted Publishers/OIDC by granting id-token: write and enabling npm provenance (NPM_CONFIG_PROVENANCE: 'true').

Removes use of the long-lived NPM_TOKEN secret from the semantic-release step, relying on workflow permissions for release/publishing-related actions instead.

Written by Cursor Bugbot for commit 522854a. This will update automatically on new commits. Configure here.

Summary by CodeRabbit

  • Chores
    • Enhanced release workflow security by updating GitHub Actions permissions for contents, identity tokens, issues, and pull requests.
    • Improved package verification by enabling NPM package provenance configuration during the release process.

@cursoragent @kentcdodds
Add OIDC permissions for trusted publishing
522854a 
Co-authored-by: Kent C. Dodds <me+github@kentcdodds.com>
@cursor
Copy link

cursor bot commented Feb 6, 2026

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@coderabbitai
Copy link

coderabbitai bot commented Feb 6, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Modified the GitHub Actions release workflow to use NPM provenance for package publishing. Added explicit permissions for the release job (contents, id-token, issues, pull-requests) and an environment variable enabling NPM provenance configuration. Removed direct NPM_TOKEN secret reference from the release step environment.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/validate.yml		 Added permissions block to release job granting write access to contents, id-token, issues, and pull-requests. Introduced NPM_CONFIG_PROVENANCE: 'true' environment variable. Removed NPM_TOKEN secret from release step environment variables.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops of joy with provenance so true,
No secrets exposed, permissions all new,
NPM publishes with trust and with care,
Security hopping through the air!

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch cursor/trusted-publishers-support-bc40

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@kentcdodds kentcdodds marked this pull request as ready for review February 6, 2026 18:03
@kentcdodds kentcdodds merged commit 6b5c6e4 into main Feb 6, 2026
7 of 8 checks passed
@kentcdodds kentcdodds deleted the cursor/trusted-publishers-support-bc40 branch February 6, 2026 18:04
@codecov
Copy link

codecov bot commented Feb 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.26%. Comparing base (e68fecc) to head (522854a).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #249      +/-   ##
==========================================
+ Coverage   63.14%   63.26%   +0.12%     
==========================================
  Files          21       21              
  Lines         605      607       +2     
  Branches      228      230       +2     
==========================================
+ Hits          382      384       +2     
  Misses        182      182              
  Partials       41       41

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link

github-actions bot commented Feb 6, 2026

🎉 This PR is included in version 17.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kentcdodds @cursoragent