Skip to content

Use trusted publishing for NPM packages#24171

Merged
zanieb merged 1 commit intomainfrom
zb/npm-trusted
Mar 25, 2026
Merged

Use trusted publishing for NPM packages#24171
zanieb merged 1 commit intomainfrom
zb/npm-trusted

Conversation

@zanieb
Copy link
Copy Markdown
Member

@zanieb zanieb commented Mar 25, 2026
edited
Loading

If it breaks, it's @MichaReiser's fault

@zanieb zanieb added the release Related to the release process label Mar 25, 2026
@zanieb zanieb marked this pull request as ready for review March 25, 2026 13:14
@MichaReiser
Copy link
Copy Markdown
Member

MichaReiser commented Mar 25, 2026

I feel like it's not in my interest to approve this PR 😅

@zanieb zanieb merged commit 96f55d1 into main Mar 25, 2026
41 checks passed
@zanieb zanieb deleted the zb/npm-trusted branch March 25, 2026 14:40
@j178
Copy link
Copy Markdown
Contributor

j178 commented Mar 25, 2026
edited
Loading

Just a quick reminder about npm trusted publishing (like how crates.io works):

We need to use the workflow name that calls the reusable workflow to verify the publisher. So we should configure release.yml as the workflow name — not publish-wasm.yml.

Also, we need to add a step to upgrade npm:

npm install -g npm@latest

Trusted publishing requires npm 11.5.1 or later (see https://docs.npmjs.com/trusted-publishers), but the ubuntu-latest runner currently comes with npm 10.8.2 (https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md), so we have to update it manually.

@zanieb
Copy link
Copy Markdown
Member Author

zanieb commented Mar 25, 2026

Are you sure about the workflow name? Our other trusted publishers use the child workflow name.

The npm bit is good to know! I'll add that, unless you want to open a pull.

@j178
Copy link
Copy Markdown
Contributor

j178 commented Mar 25, 2026
edited
Loading

Most of the docs about trusted publishing are pretty vague when it comes to the “workflow name” field. From my experience with prek, only PyPI actually verifies the child name. npm and crates.io, verify the caller name instead.

PyPI:
image

crates.io:
image
npm:
image

@zanieb
Copy link
Copy Markdown
Member Author

zanieb commented Mar 25, 2026

Alas. Thank you!

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Mar 25, 2026

Most of the docs about trusted publishing are pretty vague when it comes to the “workflow name” field. From my experience with prek, which uses trusted publishing for PyPI, npm, and crates.io, only PyPI actually verifies the child name. npm and crates.io, verify the caller name instead.

This is correct -- see pypi/warehouse#11096 for context.

The TL;DR is that reusable workflows produce OIDC tokens with two identities in them, and PyPI (because it was the first to implement this flow) mistakenly uses the job_workflow_ref everywhere instead of workflow_ref. This ends up being secure because it's cross-checked for parent caller consistency (the caller needs to be in the same repo), but inconsistent with how every other implementation of Trusted Publishing works (since they learned from PyPI's mistakes).

carljm added a commit that referenced this pull request Mar 25, 2026
@carljm
Merge branch 'main' into charlie/metaclass
9114b71 
* main:
  [ty] make `test-case` a dev-dependency (#24187)
  [ty] implement cycle normalization for more types to prevent too-many-cycle panics (#24061)
  [ty] Silence all diagnostics in unreachable code (#24179)
  [ty] Intern `InferableTypeVars` (#24161)
  Implement unnecessary-if (RUF050) (#24114)
  Recognize `Self` annotation and `self` assignment in SLF001 (#24144)
  Bump the npm version before publish (#24178)
  [ty] Disallow Self in metaclass and static methods (#23231)
  Use trusted publishing for NPM packages (#24171)
  [ty] Respect non-explicitly defined dataclass params (#24170)
  Add RUF072: warn when using  operator on an f-string (#24162)
  [ty] Check return type of generator functions (#24026)
  Implement useless-finally (RUF-072) (#24165)
  [ty] Add test for a dataclass with a default field converter (#24169)
  [ty] Dataclass field converters (#23088)
  [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
  [ty] Add support for `typing.Concatenate` (#23689)
  `ASYNC115`: autofix to use full qualified `anyio.lowlevel` import (#24166)
  [ty] Disallow read-only fields in TypedDict updates (#24128)
  Speed up diagnostic rendering (#24146)
@BrewTestBot BrewTestBot mentioned this pull request Mar 26, 2026
Merged
nicopauss pushed a commit to Intersec/lib-common that referenced this pull request Apr 1, 2026
@renovate-bot
chore(deps): update dependency ruff to v0.15.8 (2024.6)
356177a 
##### [\`v0.15.8\`](https://github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#0158)

Released on 2026-03-26.

##### Preview features

- \[`ruff`] New rule `unnecessary-if` (`RUF050`) ([#24114](astral-sh/ruff#24114))
- \[`ruff`] New rule `useless-finally` (`RUF072`) ([#24165](astral-sh/ruff#24165))
- \[`ruff`] New rule `f-string-percent-format` (`RUF073`): warn when using `%` operator on an f-string ([#24162](astral-sh/ruff#24162))
- \[`pyflakes`] Recognize `frozendict` as a builtin for Python 3.15+ ([#24100](astral-sh/ruff#24100))

##### Bug fixes

- \[`flake8-async`] Use fully-qualified `anyio.lowlevel` import in autofix (`ASYNC115`) ([#24166](astral-sh/ruff#24166))
- \[`flake8-bandit`] Check tuple arguments for partial paths in `S607` ([#24080](astral-sh/ruff#24080))
- \[`pyflakes`] Skip `undefined-name` (`F821`) for conditionally deleted variables ([#24088](astral-sh/ruff#24088))
- `E501`/`W505`/formatter: Exclude nested pragma comments from line width calculation ([#24071](astral-sh/ruff#24071))
- Fix `%foo?` parsing in IPython assignment expressions ([#24152](astral-sh/ruff#24152))
- `analyze graph`: resolve string imports that reference attributes, not just modules ([#24058](astral-sh/ruff#24058))

##### Rule changes

- \[`eradicate`] ignore `ty: ignore` comments in `ERA001` ([#24192](astral-sh/ruff#24192))
- \[`flake8-bandit`] Treat `sys.executable` as trusted input in `S603` ([#24106](astral-sh/ruff#24106))
- \[`flake8-self`] Recognize `Self` annotation and `self` assignment in `SLF001` ([#24144](astral-sh/ruff#24144))
- \[`pyflakes`] `F507`: Fix false negative for non-tuple RHS in `%`-formatting ([#24142](astral-sh/ruff#24142))
- \[`refurb`] Parenthesize generator arguments in `FURB142` fixer ([#24200](astral-sh/ruff#24200))

##### Performance

- Speed up diagnostic rendering ([#24146](astral-sh/ruff#24146))

##### Server

- Warn when Markdown files are skipped due to preview being disabled ([#24150](astral-sh/ruff#24150))

##### Documentation

- Clarify `extend-ignore` and `extend-select` settings documentation ([#24064](astral-sh/ruff#24064))
- Mention AI policy in PR template ([#24198](astral-sh/ruff#24198))

##### Other changes

- Use trusted publishing for NPM packages ([#24171](astral-sh/ruff#24171))

##### Contributors

- [@bitloi](https://github.com/bitloi)
- [@Sim-hu](https://github.com/Sim-hu)
- [@mvanhorn](https://github.com/mvanhorn)
- [@chinar-amrutkar](https://github.com/chinar-amrutkar)
- [@markjm](https://github.com/markjm)
- [@RenzoMXD](https://github.com/RenzoMXD)
- [@vivekkhimani](https://github.com/vivekkhimani)
- [@seroperson](https://github.com/seroperson)
- [@moktamd](https://github.com/moktamd)
- [@charliermarsh](https://github.com/charliermarsh)
- [@ntBre](https://github.com/ntBre)
- [@zanieb](https://github.com/zanieb)
- [@dylwil3](https://github.com/dylwil3)
- [@MichaReiser](https://github.com/MichaReiser)

Renovate-Branch: renovate/2024.6-ruff-0.15.x
Change-Id: Ifd4216a963962ffb24a4df69802bc60fcc29628d
Priv-Id: 46d2f61be3a5e65a9fdd2fef998ba41ea3388f12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaReiser MichaReiser MichaReiser approved these changes

Assignees

No one assigned

Labels

release Related to the release process

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zanieb @MichaReiser @j178 @woodruffw