chore(NODE-7563): migrate 6.x release workflows to npm trusted publishers#4943
Closed
tadjik1 wants to merge 3 commits into
Closed
chore(NODE-7563): migrate 6.x release workflows to npm trusted publishers#4943tadjik1 wants to merge 3 commits into
tadjik1 wants to merge 3 commits into
Conversation
…hers Replace NPM_TOKEN with OIDC dispatch to npm-publish.yml in release-6.x.yml, release-alpha.yml, and release-nightly.yml; add dispatch-and-wait.mjs; remove dormant release-6.8.yml.
This was referenced May 18, 2026
![semgrep-code-mongodb[bot]](https://avatars.githubusercontent.com/u/45120?s=60&v=4){kind=small}
Comment on lines
+33
to
+37
| run: | | ||
| node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \ | ||
| tag=alpha \ | ||
| version="${{ inputs.alphaVersion }}" \ | ||
| ref="${{ github.sha }}" |
There was a problem hiding this comment.
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
🎈 Fixed in commit 15ab807 🎈
Member
Author
There was a problem hiding this comment.
Worth to mention - this was pre-existing pattern.
Move alphaVersion input to an env var so bash does not perform command substitution on user-controlled input (semgrep finding).
tadjik1
changed the title
Member
Author
|
closed as we are not going to backport these changes yet |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary of Changes
Migrates
release-6.x.yml,release-alpha.yml, andrelease-nightly.ymlon the6.xbranch to npm Trusted Publishing by dispatching to the centralizednpm-publish.ymlworkflow (lives onmain, introduced in #4930). Addsdispatch-and-wait.mjshelper script — required because GitHub Actions loads workflow files from the triggering branch, but the script defaults to loadingnpm-publish.ymlfrommain. Also removes the dormantrelease-6.8.yml(6.8 branch is EOL; last release was 6.8.2 in Sep 2024).Notes for Reviewers
The
6.xbranch usesdrivers-github-tools@v2(notv3like main) — this is pre-existing and not changed by this PR.Main PR: #4941 — 5.x PR: #4942
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript