ci: switch npm and PyPI releases to Trusted Publishing (OIDC)#47
ci: switch npm and PyPI releases to Trusted Publishing (OIDC)#47thebenignhacker wants to merge 1 commit into
Conversation
The npm workflow was already requesting `--provenance` with `id-token: write` AND a long-lived `NODE_AUTH_TOKEN`. The Python workflow set `id-token: write` AND `password: PYPI_API_TOKEN`. The PyPI side has been silently emitting attestations: ignored on every run since 0a31816 (2026-02-07): The workflow was run with the 'attestations: true' input, but an explicit password was also set, disabling Trusted Publishing. As a result, the attestations input is ignored. Both registries now exclusively use OIDC Trusted Publishing: publish-npm.yml - Bump runner Node to 24 (TP requires modern npm). - Drop `NODE_AUTH_TOKEN: secrets.NPM_TOKEN`. `id-token: write` plus `registry-url: https://registry.npmjs.org` is sufficient for setup-node@v4 + npm 11+ to handle the OIDC handshake. publish.yml - Drop `password: secrets.PYPI_API_TOKEN` from all four publish jobs (cryptoserve-core, cryptoserve-client, cryptoserve-auto, cryptoserve). `id-token: write` plus `environment: pypi` is what pypa/gh-action-pypi-publish needs to enable attestations. - Harden the GitHub Release step so re-runs against an existing tag (which was the actual cause of the v1.4.3 publish-job failure) update assets via `gh release upload --clobber` instead of crashing the whole job. Pre-merge checklist (admin actions, then merge): 1. npmjs.com -> cryptoserve -> Settings -> Publishing access -> Trusted Publisher: org=ecolibria, repo=cryptoserve, workflow=publish-npm.yml, environment blank. 2. For each of cryptoserve, cryptoserve-core, cryptoserve-client, cryptoserve-auto on pypi.org -> Settings -> Publishing -> add Trusted Publisher: owner=ecolibria, repo=cryptoserve, workflow=publish.yml, environment=pypi. 3. After steps 1 + 2 are confirmed: merge this PR. Then delete NPM_TOKEN and PYPI_API_TOKEN from repo secrets. 4. Verify on the next release with `npm view cryptoserve dist.attestations --json` and `curl https://pypi.org/pypi/cryptoserve/<v>/json | jq '.urls[].has_sig'`. This PR keeps the workflow on `js-v*` and `v*` tag triggers; tag hygiene and the manual-publish hole that produced npm cryptoserve 0.3.4 without provenance are out of scope here.
|
Claude finished @thebenignhacker's task —— View job Security Review Complete ✅Tasks
Changes Summarypublish-npm.yml:
publish.yml:
Security AnalysisI've performed a comprehensive security review across all 12 categories specified: ✅ Categories 1-9: No Issues Found
✅ Categories 10-12: Logic Verification
Additional ObservationsPositive changes:
No security regressions identified. The migration from static tokens to OIDC Trusted Publishing is a security best practice. FINDINGS_COUNT=0 |
|
Manual review required. This PR did not meet auto-merge criteria:
|
|
Closing for now per maintainer call. The diagnosis stands (PyPI |
Summary
NODE_AUTH_TOKEN: secrets.NPM_TOKENfrompublish-npm.ymland bump runner Node to 24 so npm Trusted Publishing handles auth via OIDC.password: secrets.PYPI_API_TOKENfrom all four PyPI release jobs inpublish.yml. Thepypa/gh-action-pypi-publishaction silently disables attestations whenever apassword:is supplied alongsideid-token: write, so every PyPI release since 0a31816 (2026-02-07) shipped without sigstore signatures despite theattestations: truedefault.gh release upload --clobberinstead of crashing the whole job.DRAFT until admin actions complete
This PR will break the next release if merged before Trusted Publishing is configured on the registries. Steps to land it:
cryptoserve-> Settings -> Publishing access -> Trusted Publisher -> GitHub Actionsecolibriacryptoservepublish-npm.ymlpypa/gh-action-pypi-publishaction prints these in every run.ecolibria, repo=cryptoserve, workflow=publish.yml, environment=pypi.NPM_TOKENandPYPI_API_TOKENfrom repo secrets so a future revert cannot silently re-disable provenance.Verification (next release after merge)
Out of scope
cryptoserve@0.3.4npm release that has no provenance because nojs-v0.3.4tag was ever pushed (manual release outside the workflow). Tag-push gate hook will be a separate PR.actions/checkoutandactions/download-artifactto silence the Node 20 deprecation warning. Those actions are scheduled to migrate themselves before June 2026.Test plan
npm notice publish Provenance statement published to transparency log:appears in the npm job log.the attestations input is ignored.