Skip to content

ci: switch npm publish to trusted publishing (OIDC)#25

Merged
Joao208 merged 1 commit into
mainfrom
joaobarros-/-ci-trusted-publishing
Apr 3, 2026
Merged

ci: switch npm publish to trusted publishing (OIDC)#25
Joao208 merged 1 commit into
mainfrom
joaobarros-/-ci-trusted-publishing

Conversation

@Joao208

@Joao208 Joao208 commented Apr 3, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

O que muda

  • Substitui autenticação via NPM_TOKEN por Trusted Publishing (OIDC)
  • Adiciona permission id-token: write (necessário para OIDC)
  • Remove permission packages: write (não necessário para npm registry)
  • Adiciona flag --provenance no npm publish para gerar provenance statements

Por quê

Trusted Publishing é mais seguro que tokens de longa duração:

  • Sem secrets para rotacionar ou vazar
  • Autenticação via OIDC direto entre GitHub Actions e npm
  • Provenance statements permitem verificar a origem do pacote

Setup necessário após merge

Para cada pacote @arvoretech/* no npm:

  1. Acessar Settings → Trusted Publishing → Add new provider
  2. Configurar: owner=arvoreeducacao, repo=arvore-mcp-servers, workflow=ci.yml

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflow for package publishing with enhanced security measures, including provenance verification to ensure package integrity and authenticity.

@coderabbitai

coderabbitai Bot commented Apr 3, 2026
edited
Loading

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eacb6756-7111-41c5-b984-8d50531bc730

📥 Commits

Reviewing files that changed from the base of the PR and between 5623c4e and 07f243b.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📝 Walkthrough

Walkthrough

The CI workflow's npm publishing step was reconfigured to use provenance-based authentication. The workflow permissions were shifted from packages: write to id-token: write, the --provenance flag was added to publish commands, and the NODE_AUTH_TOKEN environment variable reference was removed.

Changes

Cohort / File(s) Summary
Workflow Configuration
.github/workflows/ci.yml		 Modified npm publish authentication method from token-based to provenance-based; updated workflow permissions from packages: write to id-token: write and added --provenance flag to publish invocations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Our bunny scripts now sign with pride,
No tokens hopping far and wide,
With provenance flags held high and true,
We publish packages bold and new! ✨

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch joaobarros-/-ci-trusted-publishing

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Joao208 Joao208 merged commit 1fabebb into main Apr 3, 2026
2 of 3 checks passed
@Joao208 Joao208 deleted the joaobarros-/-ci-trusted-publishing branch April 3, 2026 23:07
@Joao208 Joao208 restored the joaobarros-/-ci-trusted-publishing branch April 3, 2026 23:35
@Joao208 Joao208 deleted the joaobarros-/-ci-trusted-publishing branch April 4, 2026 04:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Joao208