ci(release): enable trusted publishing & attestations#4899
Merged
WillLillis merged 1 commit intotree-sitter:masterfrom Dec 8, 2025
Merged
ci(release): enable trusted publishing & attestations#4899WillLillis merged 1 commit intotree-sitter:masterfrom
WillLillis merged 1 commit intotree-sitter:masterfrom
Conversation
5 tasks
WillLillis
approved these changes
Dec 6, 2025
Contributor
|
Have you run this new workflow on your fork and verified that it can successfully create a release (without uploading, of course)? |
Member
Author
|
Unfortunately trusted publishing can't be tested without actually publishing because most of the configuration is on the registry. |
Contributor
|
But you can at least test that the changes did not break the release part. We want to make sure that we don't need another round of fixup releases. |
Contributor
|
Great idea, thanks for setting this up @ObserverOfTime. I can remove the tokens once we see this works. |
Member
Author
|
@maxbrunsfeld Could you also set up tree-sitter on PyPI for tree-sitter/py-tree-sitter#421? |
201610a to
43a847c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In light of the recent (and older) supply chain attacks through compromised tokens, enabling trusted publishing allows us to get rid of our tokens and restrict releases to this particular workflow.
Provided the upcoming release is published successfully, the next steps will be to remove the tokens from the secrets (assuming they are backed up somewhere), and to disallow tokens in general for the npm packages.