Skip to content

sec: update to using staged publishing#10926

Merged
jasonsaayman merged 1 commit into
v1.xfrom
sec/stage-publish
May 21, 2026
Merged

sec: update to using staged publishing#10926
jasonsaayman merged 1 commit into
v1.xfrom
sec/stage-publish

Conversation

@jasonsaayman

@jasonsaayman jasonsaayman commented May 21, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Member

Summary

Update to publish action to use staged publishing

Linked issue

N/A

Changes

N/A

Checklist

  • Tests added or updated (or N/A with reason)
  • Docs / types updated if public API changed (index.d.ts and index.d.cts)
  • No breaking changes (or called out explicitly above)

Summary by cubic

Switch the release workflow to npm’s staged publishing for safer, auditable releases. Replaces npm publish with npm stage publish in CI.

Description

  • Summary of changes
    • Update .github/workflows/publish.yml to run npm stage publish --provenance --access public.
  • Reasoning
    • Use staged publishing to improve supply-chain security and provenance.
    • Keeps the same publish flags; only changes the publish method.
  • Additional context
    • Requires npm that supports staged publishing (npm v10.8+).
    • No source or package changes.

Docs

Please update the release guide in /docs/ to:

  • Note we use staged publishing (npm stage publish).
  • Call out the required npm version.
  • Briefly describe the staged publish flow and expectations.

Testing

  • No unit tests changed; this is CI-only.
  • Validate by running the publish workflow on a prerelease tag to ensure staging and release work as expected.

Semantic version impact

No impact to package semantics. Infrastructure-only change; treat as a patch (no API changes).

Written for commit b8d5278. Summary will update on new commits. Review in cubic

@jasonsaayman jasonsaayman self-assigned this May 21, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::chore The PR is related to a chore type::security The PR is a secuirty related changed normally from a CVE labels May 21, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 21, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@jasonsaayman jasonsaayman merged commit 29e42a1 into v1.x May 21, 2026
26 checks passed
@jasonsaayman jasonsaayman deleted the sec/stage-publish branch May 21, 2026 17:05
@shaanmajid

shaanmajid commented May 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Just wanted to confirm -- did you also update the Trusted Publishing config on the npm registry side to enable staged publishing for OIDC (see recommended setup)? This is required for staged publishing to succeed, or else it fails with a 403. Would also recommend updating forbidding regular npm publish / non-staged publishing via OIDC (but this would require adding this change to the v0.x branch as well -- see #10936).

This was referenced May 23, 2026
Merged
Merged
jasonsaayman pushed a commit that referenced this pull request May 24, 2026
@shaanmajid
ci(publish): adopt npm staged publishing on v0.x (#10936)
31b7bdf 
* ci(publish): adopt npm staged publishing on v0.x

Switch the v0.x publish workflow to `npm stage publish` so a maintainer
must approve each release from npm's stage queue (2FA proof-of-presence)
before it becomes installable, even for non-interactive OIDC CI publishes.
Mirrors the staged-publishing model upstream adopted on v1.x (#10926).

Pin npm to 11.15.0 explicitly: Node 24/26 currently bundle npm 11.13.0,
below the 11.15.0 minimum that `npm stage publish` requires.

* docs(ci): note npm pin is temporary until node bundles npm 11.15.0
jasonsaayman added a commit that referenced this pull request May 28, 2026
@jasonsaayman
sec: update to using staged publishing (#10926)
d54f7ca
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::chore The PR is related to a chore priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonsaayman @shaanmajid