Trusted publishing by JoviDeCroock · Pull Request #5072 · preactjs/preact (original) (raw)
Navigation Menu
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Appearance settings
Conversation
Summary
- Adds a
publishjob to the release workflow that publishes to npm with provenance using OIDC - Derives the npm dist-tag from the git tag (prerelease identifier or
latest) - Adds
publishConfigwithprovenance: trueandaccess: "public"to package.json - Uses
id-token: writepermission for provenance attestation
Security hardening
In addition to the new publish job, this PR nails down some loose ends in the existing workflow:
- Trigger scoped to
on: push: tags: ['10.*']instead ofon: create, which fired for both tags and branches. This also restricts to 10.x version tags only. - Potential script injection fixed in the
releasejob —${{ steps.create-release.outputs.result }}was interpolated directly into ascript:block. Now passed viaRELEASE_DATAenv var and parsed withJSON.parse. - All actions pinned to commit SHAs instead of mutable major version tags, preventing supply-chain attacks via tag mutation.
- Explicit permissions on all jobs —
releasedeclarescontents: write,publishdeclarescontents: read+id-token: write.
Open question
- Environment protection gate: Should the
publishjob require manual approval via a GitHub Environment (e.g.npm) with required reviewers? Currently noted as a TODO — any collaborator with write access can push a tag and trigger a publish without approval. See https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments
Setup required
- On npmjs.com, link the package to the
preactjs/preactGitHub repo for provenance verification
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})
2 participants
