chore(NODE-7562): use npm trusted publisher for nightly release#4930
Open
chore(NODE-7562): use npm trusted publisher for nightly release#4930
Conversation
tadjik1
force-pushed
the
NODE-7235-nightly-trusted-publisher
branch
from
c824195 to
4a1c49e
Compare
tadjik1
changed the title
tadjik1
force-pushed
the
NODE-7235-nightly-trusted-publisher
branch
from
5898d69 to
96e2daf
Compare
tadjik1
force-pushed
the
NODE-7235-nightly-trusted-publisher
branch
from
96e2daf to
8170588
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the nightly npm publish flow from using an NPM_TOKEN secret to using npm Trusted Publishing (OIDC) by routing publishing through a dedicated, dispatch-triggered workflow that can be registered once as the trusted publisher for the mongodb package.
Changes:
- Document the nightly release exception and Trusted Publishing setup in release notes.
- Update
release-nightly.ymlto dispatch a dedicatednpm-publish.ymlworkflow instead of runningnpm publishdirectly. - Add
npm-publish.yml(OIDC-enabled) and a helper script to dispatch and wait for workflow completion.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| etc/notes/releasing.md | Documents nightly publishing via the new trusted-publisher workflow. |
| .github/workflows/release-nightly.yml | Replaces direct npm publish with a dispatch to the dedicated publish workflow and adjusts permissions. |
| .github/workflows/npm-publish.yml | New dispatch-triggered workflow that performs checkout + publish using OIDC (id-token: write). |
| .github/scripts/dispatch-and-wait.mjs | New helper to dispatch a workflow via gh and block until the run finishes. |
Comment on lines
+58
to
+62
| // gh prints e.g. "https://github.com/owner/repo/actions/runs/<id>" | ||
| const match = dispatch.stdout.match(/\/actions\/runs\/(\d+)/); | ||
| if (!match) { | ||
| console.error('Could not extract run id from gh workflow run output:', dispatch.stdout); | ||
| process.exit(1); |
Comment on lines
+12
to
+24
| inputs: | ||
| tag: | ||
| description: 'npm dist-tag (e.g. nightly, latest, alpha)' | ||
| required: true | ||
| type: string | ||
| version: | ||
| description: 'Package version to publish' | ||
| required: true | ||
| type: string | ||
| ref: | ||
| description: 'Git ref (commit SHA preferred) to publish from' | ||
| required: true | ||
| type: string |
Comment on lines
30
to
+36
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \ | ||
| tag=nightly \ | ||
| version="$(node -p "require('./package.json').version")" \ | ||
| ref="${{ github.sha }}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Merge this PR only after configuration on NPM for trusted publisher is complete! Workflow name for NPM -
npm-publish.yml.Summary of Changes
Migrates the nightly release flow off
NPM_TOKENand onto npm Trusted Publishing (OIDC). The pattern routes publishing through a dedicated, single-purpose workflow that we can register once on npmjs.com as the trusted publisher for themongodbpackage.npm Trusted Publishing currently allows one trusted publisher entry per package, and the OIDC validation matches against the top-level caller workflow's filename - so
workflow_calldoes not work around this. Dispatching the publish workflow via theworkflow_dispatchAPI lets us register a single publisher entry and eventually route every release flow (nightly, latest, alpha, backports) through it.Test on nightly build first, before promoting to the rest.
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript