Meta: switch publish-biblio to trusted publishing#3706
Conversation
|
The rendered spec for this PR is available as a single page at https://tc39.es/ecma262/pr/3706 and as multiple pages at https://tc39.es/ecma262/pr/3706/multipage . |
bakkot
added
the
ready to merge
ljharb
left a comment
ljharb
left a comment
There was a problem hiding this comment.
OIDC and trusted publishing have severe security issues, even worse than our current setup. We should not do this.
|
I'm open to hearing your case for that, but I don't think that's true. Why do you believe that to be so? |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
ljharb
left a comment
ljharb
left a comment
There was a problem hiding this comment.
i still don't like trusted publishing, but the issue i referred to before has been solved, and this is precisely the same amount of insecure as the token approach (both are one factor), so i'll land it for now. When npm releases staged publishing, we'll be able to move to an actual CI-based two factor solution.
4 participants
Existing token-based publishing will stop working soon. Anyway, best not to have to store a secrets in settings. See npm docs on trusted publishing. I already set up the package to trust the publish-biblio.yml workflow.