Skip to content

feat(npm): trusted publishing #5160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
khaliqgant wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(npm): trusted publishing #5160

khaliqgant wants to merge 2 commits into from

Conversation

@khaliqgant
Copy link
Member

@khaliqgant khaliqgant commented Dec 16, 2025
edited by propel-code-bot bot
Loading

Used https://prpm.dev/packages/prpm/npm-trusted-publishing FWIW

Enable npm trusted publishing

Updates the release automation to satisfy npm trusted publishing requirements. Workflow permissions now request contents: write and id-token: write, the job upgrades to the latest npm CLI before publishing, and the release script publishes each workspace package with provenance metadata.

Key Changes

• Added workflow-level contents: write and id-token: write permissions in .github/workflows/publish.yaml
• Installed the latest npm CLI during the publish job so provenance is supported
• Appended the --provenance flag to npm publish calls in scripts/publish.mjs
• Granted id-token: write permission to the publish job in .github/workflows/cli-verification.yaml

Affected Areas

• .github/workflows/publish.yaml
• scripts/publish.mjs
• .github/workflows/cli-verification.yaml

This summary was automatically generated by @propel-code-bot

@my-senior-dev-pr-review
Copy link

my-senior-dev-pr-review bot commented Dec 16, 2025
edited
Loading

🤖 My Senior Dev

3 files reviewed • 1 high risk • 1 need attention

🚨 High Risk:

  • .github/workflows/cli-verification.yaml — Modifies permissions to allow id-token writing, creating potential risks without proper handling of authentication and token management.

⚠️ Needs Attention:

  • .github/workflows/cli-verification.yaml — The change lacks documentation on the purpose of the updated permissions, which is important for understanding the security implications of the modification.

View full analysis →

💬 Try: @my-senior-dev explain this change or summon @chaos-monkey 🐵 @security-auditor 🔒 @optimizer ⚡ for different perspectives

📖 All commands & personas

You can interact with me by mentioning @my-senior-dev in any comment:

In PR comments or on any line of code:

  • Ask questions about the code or PR
  • Request explanations of specific changes
  • Get suggestions for improvements

Slash commands:

  • /help — Show all available commands
  • /archeology — See the history and evolution of changed files
  • /profile — Performance analysis and suggestions
  • /expertise — Find who knows this code best
  • /personas — List all available AI personas

AI Personas (mention to get their perspective):

Persona Focus
@chaos-monkey 🐵 Edge cases & failure scenarios
@skeptic 🤨 Challenge assumptions
@optimizer Performance & efficiency
@security-auditor 🔒 Security vulnerabilities
@accessibility-advocate Inclusive design
@junior-dev 🌱 Simple explanations
@tech-debt-collector 💳 Code quality & shortcuts
@ux-champion 🎨 User experience
@devops-engineer 🚀 Deployment & scaling
@documentation-nazi 📚 Documentation gaps
@legacy-whisperer 🏛️ Working with existing code
@test-driven-purist Testing & TDD

For the best experience, view this PR on myseniordev.com — includes AI chat, file annotations, and interactive reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@khaliqgant