Skip to content

chore(ci): scope NODE_AUTH_TOKEN to npm publish and add --provenance#369

Merged
franciscocabezas merged 1 commit into
mainfrom
chore/harden-publish-workflow
Apr 30, 2026
Merged

chore(ci): scope NODE_AUTH_TOKEN to npm publish and add --provenance#369
franciscocabezas merged 1 commit into
mainfrom
chore/harden-publish-workflow

Conversation

@franciscocabezas
Copy link
Copy Markdown
Contributor

@franciscocabezas franciscocabezas commented Apr 30, 2026

Summary

Hardens .github/workflows/publish-to-npm.yml to reduce blast radius in case of an install-time supply-chain compromise:

  • Remove NODE_AUTH_TOKEN from the actions/setup-node step. It was previously exposed for the entire job, including pnpm install (which runs lifecycle scripts), lint, test, and build. Any compromised dependency executing during install could read the npm publish token from process.env.
  • Set NODE_AUTH_TOKEN only on the npm publish step, which is the sole step that needs it.
  • Add --provenance to npm publish so released artifacts get npm package provenance attestations. The job already has permissions: id-token: write, so no additional config is needed.

Context

This is preventive hardening prompted by recent supply-chain incidents (e.g. install-time compromises in transitively-pulled packages). I found no evidence of compromise in this repo — this is purely about reducing future blast radius. The same pattern is being rolled out to Topsort/banners.js and Topsort/topsort.js.

Test plan

  • CI lint/test/format jobs pass on the PR (these don't exercise the release workflow).
  • On the next published GitHub Release, confirm the Release workflow runs successfully and npm publish authenticates correctly.
  • Confirm the published version on npm shows a provenance attestation on the package page.

Risk

Low. Behavioral diff vs. before:

  • The token is no longer present during pnpm install / lint / test / build (intended).
  • npm publish itself still receives the token via env: and the .npmrc written by setup-node (registry-url is unchanged), so authentication still works.
  • --provenance requires id-token: write (already set) and a public package on a supported runner (GitHub-hosted ubuntu-24.04, OK).

Made with Cursor

@franciscocabezas
chore(ci): scope NODE_AUTH_TOKEN to npm publish and add --provenance
47a17d2 
Move NODE_AUTH_TOKEN out of the actions/setup-node step so it is no
longer exposed to install-time dependency lifecycle scripts (e.g.
postinstall during `pnpm install`, build, lint, and test). The token
is now only set on the `npm publish` step, which is the only place it
is required.

Also add `--provenance` to `npm publish` so released artifacts include
npm package provenance attestations, leveraging the existing
`id-token: write` permission.

This reduces the blast radius of any future install-time supply-chain
compromise without changing release behavior.

Made-with: Cursor
@franciscocabezas franciscocabezas requested a review from a team as a code owner April 30, 2026 13:50
@franciscocabezas franciscocabezas merged commit c419d38 into main Apr 30, 2026
5 checks passed
@franciscocabezas franciscocabezas deleted the chore/harden-publish-workflow branch April 30, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barbmarcio barbmarcio barbmarcio approved these changes

@bernirosas bernirosas Awaiting requested review from bernirosas bernirosas is a code owner automatically assigned from Topsort/integrations

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franciscocabezas @barbmarcio