Skip to content

ci: Switch to trusted publishing #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: Switch to trusted publishing #293

wants to merge 1 commit into from
+6 −88

Conversation

mdjermanovic
Copy link
Member

Prerequisites checklist

What is the purpose of this pull request?

Switch to Trusted Publishing.

What changes did you make? (Give an overview)

Infrastructure:

  • Configured Trusted publisher on npmjs.com for all 8 packages.
  • Set Publishing access to "Require two-factor authentication and disallow tokens" on npmjs.com for all 8 packages.
  • Removed access to NPM_TOKEN for this repo on GitHub.

This PR:

  • Updated the CODEOWNERS file to ensure that changes to release-please.yml require an approval from TSC.
  • Updated release-please workflow to install the latest npm to ensure availability of trusted publishing.
  • Removed NPM_TOKEN from the workflow.
  • Removed manual-publish.yml file.

Related Issues

Closes #280

Is there anything you'd like reviewers to focus on?

Do we want to keep manual publishing? It seems that npmjs allows only one workflow file for trusted publishing, so we'd need to somehow incorporate it in release-please.yml.

@github-project-automation github-project-automation bot moved this to Needs Triage in Triage Oct 10, 2025
aladdin-add
aladdin-add approved these changes Oct 10, 2025
View reviewed changes
Copy link
Member

@aladdin-add aladdin-add left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@aladdin-add
Copy link
Member

Do we want to keep manual publishing? It seems that npmjs allows only one workflow file for trusted publishing, so we'd need to somehow incorporate it in release-please.yml.

I think it's fine to remove it. This job seems no longer necessary: it was created to fix #153, which has now been resolved. Would like @nzakas to verify.

@aladdin-add aladdin-add moved this from Needs Triage to Second Review Needed in Triage Oct 10, 2025
@aladdin-add aladdin-add requested a review from nzakas October 10, 2025 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aladdin-add aladdin-add aladdin-add approved these changes

@nzakas nzakas Awaiting requested review from nzakas

Assignees

No one assigned

Labels

accepted build

Projects

Triage
Status: Second Review Needed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Change Request: Switch to trusted publishing

3 participants

@mdjermanovic @aladdin-add @lumirlumir