mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
* feat: migrate npm publish to OIDC trusted publishing (#7401) Replaces NPM_TOKEN-based publishing with npm Trusted Publishing over OIDC for both etherpad-lite core and the shared plugin publish template. Tokens no longer expire every 90 days; each publish authenticates via a short-lived OIDC token issued to the GitHub Actions runner. Changes: - bin/plugins/lib/npmpublish.yml: the reusable workflow propagated to every ether/ep_* plugin via the update-plugins cron. Now bumps Node to 22, upgrades npm to >=11.5.1, declares id-token: write, drops NODE_AUTH_TOKEN, and calls `npm publish --provenance --access public` directly (not via pnpm/gnpm wrappers, which obscure the npm CLI version requirement). - bin/plugins/lib/test-and-release.yml: the parent workflow that calls npmpublish.yml as a reusable workflow. Top-level and release-job permissions now grant id-token: write so the OIDC token can flow into the called workflow. - .github/workflows/releaseEtherpad.yml: core's own publish workflow for the ep_etherpad package. Same OIDC migration; keeps the gnpm install + rename steps but switches the final publish to npm. - doc/npm-trusted-publishing.md: explains how trusted publishing works, the one-time per-package setup that has to happen on npmjs.com, requirements (Node 22.14+, npm 11.5.1+, cloud runners), and common errors. The next update-plugins cron run will propagate the new template to every plugin. Once that lands and the trusted publisher is configured on npmjs.com per package, the NPM_TOKEN secret can be removed. Closes #7401 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: add bin/setup-trusted-publishers.sh for bulk OIDC config (#7401) Adds a script that automates the per-package trusted-publisher setup that previously had to be done by clicking through npmjs.com once for each of the 80+ ep_* plugins. Uses the new `npm trust github` CLI (npm >= 11.5.1) so the whole org can be configured in one shot: npm login bin/setup-trusted-publishers.sh The script: - Discovers every non-archived ether/ep_* repo via `gh repo list` - Maps ep_etherpad to the etherpad-lite repo / releaseEtherpad.yml, and every plugin to its same-named repo / test-and-release.yml - Runs `npm trust github <pkg> --repository <org>/<repo> --file <workflow> --yes` for each package - Supports --dry-run, --packages <comma list>, and --skip-existing - Verifies npm >= 11.5.1 and that the user is logged in before doing anything destructive Doc updated to feature the script as the recommended setup path, with manual web-UI steps kept as a fallback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: don't bump CI Node version to 22 for OIDC npm 11.5.1 (the version that ships trusted publishing) actually requires '^20.17.0 || >=22.9.0', not Node 22.14+. The npm docs recommend Node 22 but only because that's what bundles a recent enough npm — installing 'npm@latest' on top of Node 20.17+ works just as well. The repo already requires Node >= 20.0.0 in engines.node and the setup-node@v6 'version: 20' input resolves to the latest 20.x (currently 20.20+), which satisfies npm 11's range. Revert the CI publish workflows from node-version: 22 back to 20 so this PR does not raise the Node bar at all. Doc updated to explain the actual constraint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
ef1a8d93ed
commit
7c3837891b
5 changed files with 316 additions and 18 deletions
22
.github/workflows/releaseEtherpad.yml
vendored
22
.github/workflows/releaseEtherpad.yml
vendored
|
|
@ -1,6 +1,7 @@
|
|||
name: releaseEtherpad.yaml
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write # for npm OIDC trusted publishing
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
|
|
@ -13,6 +14,15 @@ jobs:
|
|||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
# OIDC trusted publishing needs npm >= 11.5.1, which requires
|
||||
# Node >= 20.17.0. setup-node's `20` resolves to the latest
|
||||
# 20.x, which satisfies that.
|
||||
node-version: 20
|
||||
registry-url: https://registry.npmjs.org/
|
||||
- name: Upgrade npm to >=11.5.1 (required for trusted publishing)
|
||||
run: npm install -g npm@latest
|
||||
- name: Get pnpm store directory
|
||||
shell: bash
|
||||
run: |
|
||||
|
|
@ -38,8 +48,12 @@ jobs:
|
|||
- name: Rename etherpad
|
||||
working-directory: ./src
|
||||
run: sed -i 's/ep_etherpad-lite/ep_etherpad/g' package.json
|
||||
- name: Release to npm
|
||||
run: gnpm publish --no-git-checks
|
||||
# Use `npm publish` directly (not `gnpm`/`pnpm` wrappers) because OIDC
|
||||
# trusted publishing requires npm CLI >= 11.5.1 and the wrappers shell
|
||||
# out to npm; calling npm directly avoids any shim ambiguity. The
|
||||
# ep_etherpad package must have a trusted publisher configured on
|
||||
# npmjs.com pointing at this workflow file. See:
|
||||
# https://docs.npmjs.com/trusted-publishers
|
||||
- name: Release to npm via OIDC
|
||||
run: npm publish --provenance --access public
|
||||
working-directory: ./src
|
||||
env:
|
||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_PRIVATE_TOKEN }}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue