Skip to content

Use “npm-publish” environment to publish to NPM. #340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
theengineear merged 1 commit into from
Dec 4, 2025
Merged

Use “npm-publish” environment to publish to NPM. #340

theengineear merged 1 commit into from
Dec 4, 2025

Conversation

@theengineear
Copy link
Collaborator

@theengineear theengineear commented Dec 4, 2025

Doing this improves our security as it relates to publishing to NPM from GitHub. These changes relate to #326.

Additionally:

  • Stop calling npm ci during publish, it’s a known attack vector and we shouldn’t actually need it in our no-build repository.
  • Bump GitHub actions dependencies to “@v6”.

theengineear
theengineear commented Dec 4, 2025
View reviewed changes
.github/workflows/publish-to-npm.yaml
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/checkout@v6
Copy link
Collaborator Author

@theengineear theengineear Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing some due diligence.

theengineear
theengineear commented Dec 4, 2025
View reviewed changes
.github/workflows/publish-to-npm.yaml
with:
node-version: '22.14'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
Copy link
Collaborator Author

@theengineear theengineear Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this was probably just copied at one point. This project doesn’t even have production dependencies and it has no build… so I don’t know why we’d need to run npm ci. This should theoretically reduce attack vector surface area, fwiw.

theengineear
theengineear commented Dec 4, 2025
View reviewed changes
.github/workflows/publish-to-npm.yaml
jobs:
main:
runs-on: ubuntu-latest
environment: npm-publish
Copy link
Collaborator Author

@theengineear theengineear Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Key change: We now run this action within an assumed environment (yet to be created). It’s called npm-publish here to differentiate between other ways we publish (e.g., JSR). I.e., publish did not feel sufficient enough.

wesleytodd
wesleytodd previously approved these changes Dec 4, 2025
View reviewed changes
@theengineear
Use “npm-publish” environment to publish to NPM.
831c2ff 
Doing this improves our security as it relates to publishing to NPM from
GitHub. These changes relate to #326.

Additionally:
- Stop calling `npm ci` during publish, it’s a known attack vector and
  we shouldn’t actually need it in our no-build repository.
- Bump GitHub actions dependencies to “@v6”.
@theengineear theengineear force-pushed the use-github-environment branch from 8d4093a to 831c2ff Compare December 4, 2025 23:45
@theengineear theengineear merged commit c332566 into main Dec 4, 2025
1 check passed
@theengineear theengineear deleted the use-github-environment branch December 4, 2025 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wesleytodd wesleytodd wesleytodd left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@theengineear @wesleytodd