mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-12 10:11:42 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
306fefbb1d236330fbbcd4a4dfd3c1d98c4001f4
pnpm/.github/workflows/release.yml
Zoltan Kochan d98ac7e4bb ci(release): split publish into three steps to force trusted publishing (#11496) 
The previous "Publish Packages" step ran `pn release` after writing
NPM_TOKEN into pnpm's config. With a static `_authToken` configured,
`pnpm publish` bails out of OIDC entirely (see #11495 for the longer-
term fix), so every package — including `pnpm` and `@pnpm/exe` — was
silently being published with the legacy token instead of using npm's
trusted publishing. The result: published metadata showed
`_npmUser: pnpmuser` and no provenance attestation.

Until #11495 ships, work around the precedence bug by structuring the
job so the packages we *want* trusted publishing for never see a
static token at all:

1. `@pnpm/exe` — published in a step with no NPM_TOKEN. pnpm has no
   token to short-circuit on, performs OIDC, gets a `trustedPublisher`
   entry on npm.
2. Internal workspace packages — these don't have trusted publishing
   configured on npm, so they still need the static token. The token
   is written, the publish runs, then `pn config delete` removes the
   token before the next step.
3. `pnpm` — published in a step with no NPM_TOKEN, same rationale as
   step 1.

CI-only change; no changeset needed.
2026-05-06 17:19:24 +02:00

78 lines
3.8 KiB
YAML
Raw Blame History

name: Release
on:
push:
tags:
- "v*.*.*"
jobs:
release:
permissions:
id-token: write # Required for OIDC
contents: write # for softprops/action-gh-release to create GitHub release
attestations: write # for actions/attest-build-provenance
# Runs on macOS so the darwin artifacts can be ad-hoc signed with native
# `codesign` (no need to build/install `ldid` on the runner) and so
# `verify-binary.mjs` can smoke-test the darwin-arm64 SEA in place — a
# macos-latest runner is Apple Silicon and can execute the arm64 binary.
# Note: this does NOT fix the darwin-x64 crash (nodejs/node#62893) — that's
# an upstream Node.js SEA bug independent of signing; see pack-app docs.
runs-on: macos-latest
environment: release
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install pnpm
uses: pnpm/action-setup@e578e19d19d31b011b841ba2aca34731a5f706a5
with:
standalone: true
- name: Setup Node
run: pn runtime -g set node 26.0.0
timeout-minutes: 2
- name: pnpm install
run: pn install
# The publish phase is split into three sequential steps to control which packages
# use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails
# out of OIDC as soon as a static `_authToken` is configured, so the only way to
# force trusted publishing for a given package today is to run its publish in a
# step that doesn't have NPM_TOKEN set. See https://github.com/pnpm/pnpm/pull/11495
# for the longer-term fix that lets OIDC override a configured token.
- name: Publish @pnpm/exe (trusted publishing)
# No NPM_TOKEN: pnpm has no static token to short-circuit on, so it will perform
# the OIDC token exchange against npm's trusted-publishing config for `@pnpm/exe`.
# The exe artifacts must be built before the publish, so they're built here too.
run: |
pn --filter=@pnpm/exe run build-artifacts
pn --filter=@pnpm/exe publish --tag=next-11 --access=public --provenance
- name: Publish internal workspace packages (static token)
# The other workspace packages don't have trusted publishing configured on npm,
# so we still need a static token here. The token is removed from pnpm's config
# at the end of the step so it can't leak into the trusted-publishing step that
# follows (where its presence would silently downgrade `pnpm` to token publishing).
env:
# Setting the "npm_config_//registry.npmjs.org/:_authToken" env variable directly
# doesn't work — pnpm doesn't appear to pass auth tokens to child processes.
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
pn config set "//registry.npmjs.org/:_authToken" "${NPM_TOKEN}"
pn publish --filter=!pnpm --filter=!@pnpm/exe --access=public --provenance
pn config delete "//registry.npmjs.org/:_authToken"
- name: Publish pnpm CLI (trusted publishing)
# No NPM_TOKEN — same rationale as the @pnpm/exe step above. This must come after
# the previous step has cleared its NPM_TOKEN from pnpm's config.
run: pn publish --filter=pnpm --tag=next-11 --access=public --provenance
- name: Copy Artifacts
run: pn copy-artifacts
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: 'dist/*'
- name: Generate release description
run: pn make-release-description
- name: Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
draft: true
files: dist/*
body_path: RELEASE.md
Reference in New Issue View Git Blame Copy Permalink