Skip to content

chore(NODE-7563): migrate 6.x release workflows to npm trusted publishers #4943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tadjik1 wants to merge 3 commits into from
Closed

chore(NODE-7563): migrate 6.x release workflows to npm trusted publishers #4943

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cead96b
chore(NODE-7562): migrate 6.x release workflows to npm trusted publis…
tadjik1 May 18, 2026
15ab807
fix(NODE-7562): avoid shell injection in release-alpha workflow
tadjik1 May 18, 2026
9ed9b98
fix: move actions:write to publish job level (least-privilege)
tadjik1 May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions .github/scripts/dispatch-and-wait.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
// @ts-check
// TODO(NODE-7570): replace with workflow_call once GitHub/npm resolve the OIDC
// workflow_ref mismatch (https://github.com/npm/documentation/issues/1755).
//
// Dispatch a workflow_dispatch-triggered GitHub Actions workflow and wait for
// the resulting run to complete (propagating its exit status).
//
// `gh workflow run` prints the created workflow run URL on stdout when the
// server returns it (current github.com API version does); we parse the run
// id out of the URL and pass it to `gh run watch`.
//
// Usage:
// node dispatch-and-wait.mjs <workflow.yml> [key=value ...]
//
// For npm-publish.yml specifically:
// node dispatch-and-wait.mjs npm-publish.yml tag=<tag> version=<v> ref=<sha>
//
// Arguments:
// <workflow.yml> Filename of the target workflow under .github/workflows/
// in the same repo. Must declare `on: workflow_dispatch:`.
// key=value ... Inputs forwarded to the dispatched workflow. Valid keys
// and which of them are required are determined by the
// target workflow's `on.workflow_dispatch.inputs`; the
// dispatch fails if any required input is missing or any
// unknown input is passed. For `npm-publish.yml`, all of
// `tag`, `version`, and `ref` are required.
// Example: tag=nightly version=1.2.3 ref=abc1234
//
// Environment:
// GH_TOKEN (required) used by the gh CLI; in a workflow set
// this to ${{ github.token }}.
// DISPATCH_WORKFLOW_REF (optional, default `main`) git ref the target
// workflow file is loaded from. Hardcoded to main by
// default so callers on backport branches don't have
// to keep a copy of the target workflow on their
// branch.
import * as child_process from 'node:child_process';
import * as process from 'node:process';

const [, , workflow, ...inputArgs] = process.argv;
if (!workflow) {
console.error('usage: dispatch-and-wait.mjs <workflow.yml> [key=value ...]');
process.exit(2);
}

const dispatchRef = process.env.DISPATCH_WORKFLOW_REF || 'main';

const ghArgs = [
'workflow', 'run', workflow,
'--ref', dispatchRef,
...inputArgs.flatMap(kv => ['-f', kv])
];
console.log(`Dispatching ${workflow} from ref ${dispatchRef}`);

const dispatch = child_process.spawnSync('gh', ghArgs, {
encoding: 'utf8',
stdio: ['inherit', 'pipe', 'inherit']
});
if (dispatch.status !== 0) process.exit(dispatch.status ?? 1);

// gh prints e.g. "https://github.com/owner/repo/actions/runs/<id>"
const match = dispatch.stdout.match(/\/actions\/runs\/(\d+)/);
if (!match) {
console.error('Could not extract run id from gh workflow run output:', dispatch.stdout);
process.exit(1);
}
const runId = match[1];
console.log(`Dispatched run ${runId}`);

const watch = child_process.spawnSync('gh', ['run', 'watch', runId, '--exit-status'], {
stdio: 'inherit'
});
process.exit(watch.status ?? 1);
113 changes: 0 additions & 113 deletions .github/workflows/release-6.8.yml
View file
Open in desktop

This file was deleted.

16 changes: 10 additions & 6 deletions .github/workflows/release-6.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ on:
permissions:
contents: write
pull-requests: write
id-token: write

name: release-6.x

Expand Down Expand Up @@ -91,15 +90,20 @@ jobs:

publish:
needs: [release_please, ssdlc, build]
permissions:
actions: write
contents: read
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5

- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2

- run: npm publish --provenance --tag=6x
- name: Dispatch npm-publish workflow
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GH_TOKEN: ${{ github.token }}
run: |
node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
tag=6x \
version="$(node -p "require('./package.json').version")" \
ref="${{ github.sha }}"
20 changes: 13 additions & 7 deletions .github/workflows/release-alpha.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ on:
type: string

permissions:
id-token: write
actions: write
contents: read

name: release-alpha

Expand All @@ -18,17 +19,22 @@ jobs:
runs-on: ubuntu-latest
steps:
- shell: bash
env:
ALPHA_VERSION: ${{ inputs.alphaVersion }}
run: |
ALPHA_SEMVER_REGEXP="-alpha(\.([0-9]|[1-9][0-9]+))?$"

if ! [[ "${{ inputs.alphaVersion }}" =~ $ALPHA_SEMVER_REGEXP ]]; then
if ! [[ "$ALPHA_VERSION" =~ $ALPHA_SEMVER_REGEXP ]]; then
echo "Invalid alphaVersion string"
exit 1
fi
- uses: actions/checkout@v5
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2
- run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false
- run: npm publish --provenance --tag=alpha
- name: Dispatch npm-publish workflow
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GH_TOKEN: ${{ github.token }}
ALPHA_VERSION: ${{ inputs.alphaVersion }}
run: |
node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
tag=alpha \
version="$ALPHA_VERSION" \
ref="${{ github.sha }}"
Comment on lines +36 to +40
Copy link
Copy Markdown

@semgrep-code-mongodb semgrep-code-mongodb Bot May 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🎈 Fixed in commit 15ab807 🎈

Copy link
Copy Markdown
Member Author

@tadjik1 tadjik1 May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth to mention - this was pre-existing pattern.

12 changes: 9 additions & 3 deletions .github/workflows/release-nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ on:
workflow_dispatch: {}

permissions:
id-token: write
actions: write
contents: read

name: release-nightly

Expand All @@ -25,6 +26,11 @@ jobs:
- id: build_nightly
run: npm run build:nightly
- if: ${{ steps.build_nightly.outputs.publish == 'yes' }}
run: npm publish --provenance --tag=nightly
name: Dispatch npm-publish workflow
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GH_TOKEN: ${{ github.token }}
run: |
node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
tag=nightly \
version="$(node -p "require('./package.json').version")" \
ref="${{ github.sha }}"