Skip to content

chore(ci): split release.yml into build/publish/release-notes/notify jobs#58

Merged
mscolnick merged 2 commits into
mainfrom
myles/release-artifact-handoff
May 12, 2026
Merged

chore(ci): split release.yml into build/publish/release-notes/notify jobs#58
mscolnick merged 2 commits into
mainfrom
myles/release-artifact-handoff

Conversation

@mscolnick
Copy link
Copy Markdown
Contributor

@mscolnick mscolnick commented May 12, 2026

Summary

Restructures the release workflow into four jobs with an artifact handoff so the id-token: write permission is scoped to a job that does nothing but npm publish. This resolves the supply-chain audit's oidc-publish-fused finding (OIDC publish should not share a job with arbitrary install/build/test code).

Jobs

  • build (no id-token): checkout, setup pnpm + Node (no registry-url), pnpm install --frozen-lockfile, test, build, validate dist/index.js + dist/index.d.ts, then upload dist/, package.json, README.md, LICENSE as the package artifact (1d retention, fail if empty).
  • publish (needs: build, id-token: write + contents: read): setup Node with registry-url, download the package artifact, run npm publish --ignore-scripts with NODE_AUTH_TOKEN="" to enable OIDC. No source checkout, no install — nothing else runs in this token's blast radius.
  • release-notes (needs: publish, contents: write): checkout and run npx changelogithub.
  • notify (needs: [build, publish, release-notes], if: always()): existing Slack release-notification step, status derived from contains(needs.*.result, 'failure').

Workflow-level permissions dropped to contents: read. All preexisting action SHAs preserved; actions/upload-artifact and actions/download-artifact pinned to v4 SHAs.

Test plan

  • Next tag push triggers all four jobs in sequence
  • publish job successfully authenticates to npm via OIDC using only the downloaded artifact
  • Slack notification fires with correct status

Copilot AI review requested due to automatic review settings May 12, 2026 17:29
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the release GitHub Actions workflow to isolate npm OIDC publishing into a dedicated job, reducing token blast radius and addressing the “OIDC publish fused with build steps” supply-chain finding.

Changes:

  • Split the previous single release job into build, publish, release-notes, and notify jobs.
  • Added artifact handoff from buildpublish so the OIDC-enabled publish job runs without checkout/install/build steps.
  • Reduced workflow-level permissions to contents: read, with job-level overrides where needed.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml Outdated
@mscolnick mscolnick force-pushed the myles/release-artifact-handoff branch from cedf07b to a153c56 Compare May 12, 2026 17:44
@mscolnick mscolnick merged commit 8d09c51 into main May 12, 2026
4 checks passed
@mscolnick mscolnick deleted the myles/release-artifact-handoff branch May 12, 2026 17:49
@mscolnick mscolnick mentioned this pull request May 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mscolnick