The npmjs auto-publish flow has three correctness gaps:
- It treats any version mismatch as publishable, including older local versions.
- It can promote stale artifacts because it no longer waits for GitHub Packages and does not request an exact package version.
- It converts every npm publish failure into a warning, which can hide real release failures.
- Gate npmjs publishing on a strict semver increase over the current npmjs version.
- Restore the dependency on the GitHub Packages publish job and pass the checked-in release version into the promotion script.
- Update the promotion script to request exact package versions when provided and only tolerate known "already published" failures.
- Run targeted shell validation for the promotion script with mocked npm/curl responses.
- Inspect the workflow diff to confirm the publish gate and job dependencies match the intended release flow.
The current flow uses a long-lived NPM_TOKEN secret for publishing to
npmjs.org. This should be replaced with npm's trusted publishing
(also called "provenance" or OIDC publishing), which:
- Eliminates stored npm tokens entirely — GitHub Actions gets a short-lived OIDC token from npm on each run.
- Adds provenance attestation to published packages (visible on npmjs.org).
- Removes the risk of leaked/expired tokens breaking publishes.
Steps to migrate:
- Link each
@stripe/sync-*package to the GitHub repo in npm's trusted publishing settings. - Add
permissions: id-token: writeto thepublish_npmjsjob. - Use
npm publish --provenanceinstead of token-based auth. - Remove the
NPM_TOKENsecret from the repo.