Description
- I'd be willing to implement this feature (contributing guide)This feature is important to have in this repository; a contrib plugin wouldn't do
Describe the user story
As a developer, I want to automatically publish packages to the npm registry from my CI/CD pipeline, but this usually requires me to create and manage long-lived auth tokens, which can become security issues, or expire without notice.
Describe the solution you'd like
npm is implementing OIDC authentication in their CLI and registry. In this workflow, the CI provider creates and signs a short-lived OIDC token the tool can send to the registry (which decides whether to trust it based on the user's configuration) and get a short-lived auth token in exchange.
- Proposal: https://repos.openssf.org/trusted-publishers-for-all-package-repositories.html
- Existing implementations:
- Providers: GitHub Actions, GitLab Pipelines
- Registries: PyPI, RubyGems, Dart Pub
- npm Announcement: https://github.com/orgs/community/discussions/161015
- npm CLI PR: feat: adds support for oidc publish npm/cli#8336
Describe the drawbacks of your solution
- Adding complexity to the CLI
- More environment-dependent functionality
- Aligning too much with GitHub/NPM's way of doing things(?)
Describe alternatives you've considered
Why not make it a plugin? There's not a npm login
hook AFAICS (https://yarnpkg.com/api/yarnpkg-core/interface/Hooks), and the npm registry functionality is already part of the core plugins. Moreover, other id-token
interactions such as publish provenance are already implemented in core.
Activity