Commit c260cb8
committed
fix(publish-cross-org): drop NPM_TOKEN fallback, trusted-publishing only
The workflow had a NODE_AUTH_TOKEN env wired to secrets.NPM_TOKEN as a
fallback path for repos with a long-lived npm token. That defeats the
trust gate the topology depends on:
- trusted-publishing minted via this workflow's `id-token: write`
permission, scoped to (sourceRepo, workflowPath) on npmjs.com.
- A long-lived NPM_TOKEN is scoped to the npm account — anyone who
exfiltrates the secret gets publish rights for the whole scope, no
workflow binding, no SHA pin, no expiry.
The two auth paths can coexist on npm's side, but having BOTH wired
here means a token leak goes undetected (publishes succeed via the
fallback even when the OIDC config is broken). Trusted-publishing is
the only auth path now; if npm rejects the OIDC token, the publish
fails loudly — which is the correct failure mode.
Per-package trusted-publisher config on npmjs.com must point at
SocketDev/socket-addon + this workflow before any real publish goes
through. The first dispatch will reveal whether that's configured.1 parent 4caf99f commit c260cb8
1 file changed
Lines changed: 7 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
72 | | - | |
73 | | - | |
74 | | - | |
75 | | - | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
76 | 79 | | |
77 | 80 | | |
78 | 81 | | |
| |||
0 commit comments