Skip to content

Add trusted publishing #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ericglau wants to merge 9 commits into
base: master
Choose a base branch
from
+34 −1
Open

Add trusted publishing #791

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ec13e3c
Use OIDC publishing
ericglau Mar 31, 2026
b52d9a1
Test with dry run
ericglau Mar 31, 2026
487ee47
Add back NPM token as fallback for new pkgs
ericglau Mar 31, 2026
a0cdd11
Test a version bump
ericglau Mar 31, 2026
5894891
Use npm 11 for trusted publishing
ericglau Mar 31, 2026
6cf71b4
fix changeset command
ericglau Apr 1, 2026
000eccc
Revert dryrun tests from workflow
ericglau Apr 1, 2026
6e326ce
Use two step publish, but npm publish won't create GH release or tags
ericglau Apr 1, 2026
85aec59
Use npm token if new packages, else oidc
ericglau Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/actions/setup/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ runs:
with:
node-version: 22
cache: yarn
registry-url: 'https://registry.npmjs.org'

- name: Install dependencies
run: yarn --frozen-lockfile --prefer-offline --network-concurrency 1
Expand Down
34 changes: 33 additions & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
permissions:
contents: write
pull-requests: write
id-token: write
runs-on: ubuntu-latest
environment: publish
steps:
Expand All @@ -20,6 +21,37 @@ jobs:
ref: ${{ github.ref }}
- name: Set up environment
uses: ./.github/actions/setup
- name: Install npm 11 for OIDC trusted publishing
run: npm install -g npm@11.12.1
- name: Check for new packages
id: check-packages
run: |
yarn workspaces --json info | node -e "
const info = JSON.parse(JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).data);
for (const [name, meta] of Object.entries(info)) {
const pkgJson = require('./' + meta.location + '/package.json');
if (!pkgJson.private) console.log(name + ':' + meta.location);
}
" | while IFS=: read -r pkg dir; do
if ! npm view "$pkg" version > /dev/null 2>&1; then
echo "New package detected: $pkg ($dir)"
echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
else
echo "Existing package: $pkg"
fi
done
if [ -s "$RUNNER_TEMP/new_packages.txt" ]; then
echo "::notice::New packages detected — will use NPM token for publish"
echo "has_new_packages=true" >> "$GITHUB_OUTPUT"
else
echo "All packages exist on npm — using OIDC trusted publishing"
echo "has_new_packages=false" >> "$GITHUB_OUTPUT"
fi
Comment on lines +35 to +49
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the current branch condition treats every non-zero `npm view` exit as "new package".
sed -n '35,49p' .github/workflows/publish.yml
rg -n -C2 'npm view "\$pkg" version > /dev/null 2>&1|New package detected|has_new_packages=true' .github/workflows/publish.yml

Repository: OpenZeppelin/contracts-wizard

Length of output: 1347

Differentiate 404s from transient npm view failures to avoid silent auth-path changes.

Line 36 treats every npm view error identically—timing out, returning 5xx, or hitting rate limits will silently flip the job into token mode instead of surfacing the actual registry failure. Only treat definite 404 responses as "new package"; fail the step on other errors.

Suggested fix 
-          " | while IFS=: read -r pkg dir; do
-            if ! npm view "$pkg" version > /dev/null 2>&1; then
+          " | while IFS=: read -r pkg dir; do
+            if output="$(npm view "$pkg" version 2>&1)"; then
+              echo "Existing package: $pkg"
+            elif printf '%s' "$output" | grep -qE 'E404|404 Not Found'; then
               echo "New package detected: $pkg ($dir)"
               echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
             else
-              echo "Existing package: $pkg"
+              printf '%s\n' "$output" >&2
+              exit 1
             fi
           done
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
" | while IFS=: read -r pkg dir; do
if ! npm view "$pkg" version > /dev/null 2>&1; then
echo "New package detected: $pkg ($dir)"
echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
else
echo "Existing package: $pkg"
fi
done
if [ -s "$RUNNER_TEMP/new_packages.txt" ]; then
echo "::notice::New packages detected — will use NPM token for publish"
echo "has_new_packages=true" >> "$GITHUB_OUTPUT"
else
echo "All packages exist on npm — using OIDC trusted publishing"
echo "has_new_packages=false" >> "$GITHUB_OUTPUT"
fi
" | while IFS=: read -r pkg dir; do
if output="$(npm view "$pkg" version 2>&1)"; then
echo "Existing package: $pkg"
elif printf '%s' "$output" | grep -qE 'E404|404 Not Found'; then
echo "New package detected: $pkg ($dir)"
echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
else
printf '%s\n' "$output" >&2
exit 1
fi
done
if [ -s "$RUNNER_TEMP/new_packages.txt" ]; then
echo "::notice::New packages detected — will use NPM token for publish"
echo "has_new_packages=true" >> "$GITHUB_OUTPUT"
else
echo "All packages exist on npm — using OIDC trusted publishing"
echo "has_new_packages=false" >> "$GITHUB_OUTPUT"
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 35 - 49, The script currently
treats any failure of the npm view command as a new-package signal; change the
loop that runs npm view "$pkg" so it captures stderr/exit status and only treats
definite 404 responses (e.g., stderr contains "404" / "Not Found" / "E404") as a
new package to append to "$RUNNER_TEMP/new_packages.txt"; for any other non-404
failure (timeouts, 5xx, rate limits, network errors) have the step exit non-zero
(fail) with an error message so the workflow doesn’t silently switch to token
publishing. Update the logic around the npm view call and the determination of
has_new_packages to reflect this behavior while still writing to
"$RUNNER_TEMP/new_packages.txt" only for true 404s.

- name: Enable NPM token publishing
if: steps.check-packages.outputs.has_new_packages == 'true'
run: echo "NODE_AUTH_TOKEN=${NPM_TOKEN}" >> "$GITHUB_ENV"
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Create Prepare Release PR or Publish
id: changesets
uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
Expand All @@ -31,7 +63,7 @@ jobs:
commitMode: github-api
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_CONFIG_PROVENANCE: true
- name: Check changesets status
if: steps.changesets.outputs.hasChangesets == 'true'
run: |
Expand Down
Loading