Skip to content

chore: makes npm token input optional #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jwndlng merged 1 commit into from
Oct 27, 2025
Merged

chore: makes npm token input optional #62

jwndlng merged 1 commit into from
Oct 27, 2025

Conversation

@jwndlng
Copy link
Member

@jwndlng jwndlng commented Oct 27, 2025

Changed the 'token' input requirement to optional in order to fully switch to trusted publishing (via OIDC).

@jwndlng
chore: makes npm token input optional
d135a1a 
Changed the 'token' input requirement to optional in order to fully switch to trusted publishing (via OIDC).
@jwndlng jwndlng requested review from a team as code owners October 27, 2025 16:05
@jwndlng jwndlng enabled auto-merge (squash) October 27, 2025 16:06
@jwndlng jwndlng mentioned this pull request Oct 27, 2025
Merged
ilbertt
ilbertt suggested changes Oct 27, 2025
View reviewed changes
Copy link
Contributor

@ilbertt ilbertt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add the enable_provenance boolean parameter as required (so that one is forced to specify the desired behavior) and set its value in the env below at line 27.

This is a breaking change, but we can easily handle it by upgrading the workflows that use this action across the org.

@jwndlng
Copy link
Member Author

jwndlng commented Oct 27, 2025

We should add the enable_provenance boolean parameter as required (so that one is forced to specify the desired behavior) and set its value in the env below at line 27.

This is a breaking change, but we can easily handle it by upgrading the workflows that use this action across the org.

This time I did not forget about it, but I planned it as a separate PR (have the boilerplate ready). I would make it optional and set the default to true. From a security perspective this should be enabled by default and one should intentionally disable it if needed. Wdyt?

@ilbertt
Copy link
Contributor

ilbertt commented Oct 27, 2025

I would make it optional and set the default to true. From a security perspective this should be enabled by default and one should intentionally disable it if needed. Wdyt?

This solution also makes sense, let's go for it then.

@ilbertt
Copy link
Contributor

ilbertt commented Oct 27, 2025

This time I did not forget about it, but I planned it as a separate PR (have the boilerplate ready)

Great, looking forward to it!

@jwndlng jwndlng merged commit bf4e30a into main Oct 27, 2025
11 checks passed
@jwndlng jwndlng deleted the jwndlng-patch-1 branch October 27, 2025 19:21
github-merge-queue bot pushed a commit to dfinity/cbor-js that referenced this pull request Oct 28, 2025
@jwndlng
chore: updates workflow for trusted publishing (#51)
d67518d 
NPM package publishing will be migrated to use Trusted Publishing (via
OIDC).

Requires dfinity/ci-tools#62 to be merged first.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ilbertt ilbertt ilbertt approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jwndlng @ilbertt