Consider Enabling Trusted Publishing

[nrayburn-tech]

Trusted publishing is intended to be a safer alternative to API tokens for publishing packages. This is done by using short lived tokens between a CI provider and NPM.
NPM docs https://docs.npmjs.com/trusted-publishers

It looks like publishes happen for this repo from a local machine and not CI, so that would need to change to use this feature. The publish job looks like it also has more than just NPM publishes, so there's more complexity there too.

Is this something that should be enabled for this repo?

[evanw]

Thanks for the heads up. I wasn't aware that this was an option. Like you said there's a little more involved in a release than just the npm publishing step. I will consider this.

[nrayburn-tech]

I think the docs cover it pretty well, but if you’re looking for examples the oxc-project org has a few. Rust and Go native executables included. (Again, your current release flow still appears to be different than these but they might give you ideas on how to adjust.)

https://github.com/oxc-project/tsgolint/blob/main/.github/workflows/release.yml
https://github.com/oxc-project/oxc/blob/main/.github/workflows/release_oxlint.yml

[Boshen]

I have a script that helps you enable trusted publishing for all sub-packages: https://gist.github.com/Boshen/54609bb8317f72511c0e1067aba71c1a

[nrayburn-tech]

I don’t know the NPM publishing workflow in use here enough to know if it’s impacted, but just FYI that some publishing options are going to be deprecated.

https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/