Merged
Conversation
Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the npm publishing workflow to satisfy npm sigstore provenance constraints by separating package creation (self-hosted) from publishing (GitHub-hosted).
Changes:
- Split the previous combined npm publish job into
pack-npm(self-hosted) andpublish-npm(GitHub-hosted). - Upload the packed
*.tgzas a workflow artifact and publish that artifact from a GitHub-hosted runner. - Move the “upgrade npm for trusted publishing” step to the GitHub-hosted publish job.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the npm publishing workflow to improve security and meet npm sigstore provenance requirements. The main change is splitting the packaging and publishing steps: the npm package tarball is now built on a self-hosted runner and then published from a GitHub-hosted runner, which is required for trusted publishing.