Skip to content

ci: harden release with OIDC trusted publishing (TanStack-style, tokenless)#258

Merged
AlemTuzlak merged 2 commits into
mainfrom
fix/release-workflow-pat
Jun 1, 2026
Merged

ci: harden release with OIDC trusted publishing (TanStack-style, tokenless)#258
AlemTuzlak merged 2 commits into
mainfrom
fix/release-workflow-pat

Conversation

@AlemTuzlak
Copy link
Copy Markdown
Contributor

@AlemTuzlak AlemTuzlak commented Jun 1, 2026
edited
Loading

Reworks the release flow to be tokenless, mirroring TanStack/ai. Supersedes the earlier PAT-based approach (the PAT added the exact secret-exposure risk we were trying to avoid, and the automated commit security review flagged it).

Why the publish never happened for v6.2.1

The version bump (#257) landed on main but the package was never published to npm. The Release run that does changeset publish didn't fire after the Release PR merge (likely disrupted by the recent repo move). Rather than paper over it with a PAT, this adopts the more secure, proven TanStack pattern + a manual recovery valve.

Changes

  • OIDC Trusted Publishing.npmrc provenance=true + id-token: write; no NPM_TOKEN, no PAT. pnpm 10.18 supports OIDC (pnpm#9812, closed 2025-07-30).
  • Pinned action SHAs for checkout / pnpm / setup-node / changesets (supply-chain hardening).
  • Job guard github.repository_owner == 'code-forge-io' && github.ref == 'refs/heads/main' — no fork runs, and workflow_dispatch can only publish from main.
  • Node pinned to 24 (npm 11) so OIDC works even if pnpm delegates to npm publish.
  • Dropped actions: write; added non-cancelling concurrency.
  • workflow_dispatch kept as a guarded manual recovery valve.
  • Also: inlined "files": ["dist"] in package.json (biome was rejecting the multi-line form left by the version bump).

Resolves security review findings

  1. Persisted PAT credentials -> PAT removed; only the ephemeral GITHUB_TOKEN remains.
  2. Unrestricted workflow_dispatch -> guarded to main.

Required before this can publish (one-time, owner-only)

Configure a trusted publisher for react-router-devtools on npmjs.com:
npmjs.com -> package settings -> Publishing access -> Trusted publisher -> GitHub Actions

  • Repository: code-forge-io/react-router-devtools
  • Workflow filename: publish.yaml
  • Environment: (leave blank)

Order matters: configure the trusted publisher before merging, otherwise the publish step will have no npm auth (NPM_TOKEN is gone).

Publishing the stuck 6.2.1

After the trusted publisher is set up and this PR merges, the merge push triggers a Release run; with no changesets on main it goes straight to changeset publish and publishes 6.2.1 with provenance. (Or run gh workflow run Release manually.)

🤖 Generated with Claude Code

@AlemTuzlak
style: inline files array in package.json to satisfy biome
3b17321 
The release version bump left "files": ["dist"] formatted multi-line,
which biome check rejects. CI's test:ci script doesn't run biome check
(only the local pre-commit hook does), so this slipped onto main.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jun 1, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/react-router-devtools@258

commit: 81befa3

@AlemTuzlak
ci: harden release with OIDC trusted publishing (no tokens), drop PAT
81befa3 
Replaces the PAT-based approach with npm Trusted Publishing (OIDC),
mirroring TanStack's release flow. This removes long-lived publishing
secrets entirely and addresses the security review findings.

- npm auth via OIDC: add .npmrc provenance=true + id-token:write, and
  remove the NPM_TOKEN secret usage. Requires a trusted publisher to be
  configured for react-router-devtools on npmjs.com.
- Drop the RELEASE_GITHUB_TOKEN PAT; the changesets action uses only the
  ephemeral GITHUB_TOKEN (to open the Release PR + create GH releases).
- Pin all action versions to commit SHAs (supply-chain hardening).
- Guard the job to this repo + main only (covers workflow_dispatch), so a
  dispatch can never publish from a non-main ref or a fork.
- Pin Node 24 (npm 11) so OIDC works if pnpm delegates to npm publish.
- Drop unused actions:write permission; add concurrency (no cancel).
- Keep workflow_dispatch as a guarded manual recovery valve.
@AlemTuzlak AlemTuzlak force-pushed the fix/release-workflow-pat branch from 8562779 to 81befa3 Compare June 1, 2026 10:20
@AlemTuzlak AlemTuzlak changed the title ci: fix release publish never triggering after Release PR merge ci: harden release with OIDC trusted publishing (TanStack-style, tokenless) Jun 1, 2026
@AlemTuzlak AlemTuzlak merged commit 0263127 into main Jun 1, 2026
7 checks passed
@AlemTuzlak AlemTuzlak deleted the fix/release-workflow-pat branch June 1, 2026 10:48
@AlemTuzlak AlemTuzlak mentioned this pull request Jun 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlemTuzlak