ci: migrate to OIDC Trusted Publishing #1079
Conversation
package.json
Outdated
| "devDependencies": { | ||
| "@semantic-release-extras/github-comment-specific": "1.0.7", | ||
| "@semantic-release/npm": "12.0.1", | ||
| "@semantic-release-extras/github-comment-specific": "2.0.7", |
There was a problem hiding this comment.
Why does this have to be updated? Fairly sure last time this was tried there was an ESM-related issue. How have you tested this?
There was a problem hiding this comment.
Oh I was just updating them for the sake of using the latest stable version. I can get rid of them, I don't think this should affect trusted publishing.
There was a problem hiding this comment.
I do want to update semantic-release/npm though. Updating to the latest version includes npm's bug fixes that were troubling us last month
package.json
Outdated
| "@semantic-release/npm": "13.1.2", | ||
| "@types/node": "22.5.0", | ||
| "multi-semantic-release": "3.0.2", | ||
| "multi-semantic-release": "3.1.0", |
There was a problem hiding this comment.
Is this required to implement trusted publishing, or was it updated for a different reason? I'd like to reduce changes to minimum to reduce unnecessary risk.
ericcrosson-bitgo
left a comment
ericcrosson-bitgo
left a comment
There was a problem hiding this comment.
Uses trusted publishing -- thanks @tanjeemh!
What problem are we solving?
As
npmhas let us know that they are revoking all classic npm-tokens this month, we are migrating to using OIDC Trusted Publishing instead.Why are we solving it this way?
id-token: writepermissions is required for OIDC authenticationpublish-apitsfor secure deployments to the master branchpatches/@semantic-release+npm+12.0.1.patchas the patch-package file is no longer required since @semantic-release/npm@^v13.0.0 has fixed thewhoamibugTicket: DX-2319