This part of blog post:
OIDC trusted-publisher binding has no per-publish review. Once configured, any code path in the workflow can mint a publish-capable token. We need either (a) move to short-lived classic tokens with manual review, or (b) add provenance-source-verification to detect publishes from unexpected workflow steps
Could easily be solved:
- On NPM, in pkg settings, limit publish to one environment (e.g.
publish)
- On GitHub, create
publish env. Then require maintainers review before publish
Demo: https://github.com/alcuadrado/trusted-publishing-example
Complete minimal reproducer
https://example.com
This part of blog post:
Could easily be solved:
publish)publishenv. Then require maintainers review before publishDemo: https://github.com/alcuadrado/trusted-publishing-example
Complete minimal reproducer
https://example.com