👷 Drop OTP prompt from npm publish#7011
Merged
Merged
Conversation
npm ignores --otp under trusted publishing, so the wait-for-secrets step that asked for an OTP from an authenticator app is no longer needed.
|
@fast-check/ava
fast-check
@fast-check/jest
@fast-check/packaged
@fast-check/poisoning
@fast-check/vitest
@fast-check/worker
commit: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7011 +/- ##
=======================================
Coverage 94.81% 94.81%
=======================================
Files 212 212
Lines 5868 5868
Branches 1540 1539 -1
=======================================
Hits 5564 5564
Misses 296 296
Partials 8 8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
5 tasks
dubzzz
added a commit
that referenced
this pull request
May 21, 2026
## Description > AI-agent disclosure: this PR was authored by an automated agent (Claude Code) and has not been line-by-line reviewed by a human before submission. Switches every `publish_package_*` job in `.github/workflows/build-status.yml` from `pnpm publish` to [`npm stage publish`](npm/cli#9201). With staged publishing, CI uploads the tarball into a holding area on the registry instead of releasing it immediately — a maintainer then has to approve the staged version (with 2FA) before it becomes installable. End users still receive the same artifacts on npm, but the release step is no longer fully automated: there is now an explicit approval gate between a tag being pushed and the package going live. This is a follow-up to #7011 (which already removed the OTP prompt from the publish call); together they move the workflow toward npm's recommended staged-release flow. Each publish job now: - installs `npm@latest` so the runner-provided npm is upgraded before publishing — the `stage` subcommand landed in npm 11.15.0 and is not yet bundled with Node 24's default npm; - runs both `npm install -g` and `npm stage publish` from the parent directory (`cd ..`), because the repo's `package.json` pins pnpm via `devEngines` and would otherwise block npm from executing inside the workspace; - no longer needs the `pnpm/action-setup` step or the pnpm-specific `--no-git-checks` flag, both of which were dropped from the seven affected jobs. Non-publish jobs were intentionally left alone and still install pnpm — only the release plumbing changes. Because the diff only touches the workflow file, there are no source, dependency, or published-artifact changes, no semver impact to flag, and no changeset to add; the new code path is exercised the next time a `v*` tag is pushed. ## Checklist — _Don't delete this checklist and make sure you do the following before opening the PR_ - [x] I have a full understanding of every line in this PR — whether the code was hand-written, AI-generated, copied from external sources or produced by any other tool - [x] I flagged the impact of my change (minor / patch / major) either by running `pnpm run bump` or by following the instructions from the changeset bot - [x] I kept this PR focused on a single concern and did not bundle unrelated changes - [x] I followed the [gitmoji](https://gitmoji.dev/) specification for the name of the PR, including the package scope (e.g. `🐛(vitest) Something...`) when the change targets a package other than `fast-check` - [x] I added relevant tests and they would have failed without my PR (when applicable) Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Publishing the seven workspace packages no longer pauses CI to wait for a one-time password from an authenticator app. Maintainers releasing a new version no longer need to be online with their TOTP app at hand when a tag lands on
main(or anext-*/fix-v*branch) — the workflow now runs end-to-end on its own as soon as the tag is pushed.This is a CI-only change: nothing about the published artifacts, their contents, attestations, or the
latest/next/legacydist-tag routing is altered. No bump is needed since no package source is touched.Fixes #issue-number
The publish jobs were running
pnpm publish --otp "$OTP_VALUE" …, withOTP_VALUEpopulated by astep-security/wait-for-secretsstep prompting an authorised maintainer to type in a TOTP code. Under npm's trusted publishing (OIDC) flow — which this repo already uses, as evidenced by theid-token: writepermission and the# zizmor: ignore[use-trusted-publishing]markers — npm authenticates the publish via the GitHub OIDC token and ignores any--otpvalue passed on the CLI. The interactive prompt was therefore pure friction with no security benefit.Each of the seven publish jobs (
fast-check,ava,jest,packaged,poisoning,vitest,worker) has had thewait-for-secretsstep, theOTP_VALUEenv var, and the--otp "$OTP_VALUE"flag removed in lock-step so the seven jobs stay structurally identical. Net diff: -63 / +7 lines in.github/workflows/build-status.yml. The change is intentionally scoped to OTP removal — the rest of the publish pipeline (renaming the tgz, attestation, GitHub Release update) is untouched.No tests are added: the file under change is a GitHub Actions workflow whose only real-world signal is "does the next tagged release publish cleanly". This will be exercised the next time a version tag is pushed.
Checklist
— Don't delete this checklist and make sure you do the following before opening the PR
pnpm run bumpor by following the instructions from the changeset bot🐛(vitest) Something...) when the change targets a package other thanfast-checkGenerated by Claude Code