Make NPM_TOKEN optional for package release #1744
Conversation
Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process. I set up OpenID Connect between the `@webref/*` packages in npm and GitHub Actions and dropped the former `NPM_TOKEN` secret. This update adjusts the release script not to fail if such a token cannot be found. The call to `npmPublish` gets adjusted accordingly only to pass the token if it exists. That should close #1739.
Same as w3c/webref#1744 for browser-specs. Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process. I set up OpenID Connect between the `browser-specs` and `web-specs` packages in npm and GitHub Actions and dropped the former `NPM_TOKEN` secret. This update adjusts the release script not to fail if such a token cannot be found. The call to `npmPublish` gets adjusted accordingly only to pass the token if it exists.
dontcallmedom
left a comment
dontcallmedom
left a comment
There was a problem hiding this comment.
is there anything to document about potential renewal/update to the OpenID connection? is that linked to your NPM account specifically?
No, "Trusted Publishers" settings are tied to each package, for example: https://www.npmjs.com/package/@webref/css/access. All package admins should have access to these settings. The npm documentation you mentioned in #1739 is pretty straightforward. (It's so straightforward it's suspicious, I probably missed something ;)) It still seems valuable to add a comment in the code to explain that there are pre-requisites and point at the documentation. Will do that. |
Same as w3c/webref#1744 for browser-specs. Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process. I set up OpenID Connect between the `browser-specs` and `web-specs` packages in npm and GitHub Actions and dropped the former `NPM_TOKEN` secret. This update adjusts the release script not to fail if such a token cannot be found. The call to `npmPublish` gets adjusted accordingly only to pass the token if it exists.
|
Oh... I merged #1736 but https://github.com/w3c/webref/actions/runs/20142389583 failed. When this is merged, how can we make that release happen? |
|
Ah, I should have annotated the package release pull requests to note that they were being blocked on the migration away from NPM tokens. We can just ignore PR #1736 that you merged. It just bumped the patch version in We should just look at filter-effects first. We had a "freeze" patch for this one because the draft spec was broken, but the spec just moved to the w3c/csswg-drafts repository, and the patch is either no longer needed or no longer does what it should. I'll look into this and hopefully release a new version of |
Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process.
I set up OpenID Connect between the 4
@webref/*packages in npm and GitHub Actions and dropped the formerNPM_TOKENsecret. This update adjusts the release script not to fail if such a token cannot be found. The call tonpmPublishgets adjusted accordingly only to pass the token if it exists.That should close #1739.