-
Notifications
You must be signed in to change notification settings - Fork 124
promote to stable #1017
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
promote to stable #1017
Conversation
since oidc removes the need for the token for #958
since oidc does not currently work for whoami for #958
BREAKING CHANGE: v25 of semantic-release is now expected for #958
This reverts commit 156b6c8.
...the oidc features are merged
...upported ci providers for #958
... required when not using OIDC for #958
...m various registriess the trusted publishing verification is incomplete, but this change wires the various options together, at least for #958
...ealing functions to improve readability for #958
...ge can succeed this is the correct call, but details are still incomplete since the bearer token for the request needs to be the OIDC token from the CI IdP for #958
...change request for #958
...shing vs access token use since trusted publishing is now more required than it previously was: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
...b actions for both trusted publishing and provenance attestations for #958
...context of github actions for #958
since that logic is now handled with the step to acquire the id-token for #958
...ithin GitLab Pipelines for #958
since stubbing `@actions/core` breaks in that version and i don't want figuring that out to delay getting the trusted-publishing feature out for #958
...lishing from a sub-directory
🎉 This PR is included in version 13.1.0-beta.2 🎉
The release is available on:
Your semantic-release bot 📦🚀
🎉 This PR is included in version 13.1.0-beta.3 🎉
The release is available on:
Your semantic-release bot 📦🚀
@semantic-release/maintainers based on early feedback from #958 and my tests in https://github.com/travi-test/npm-oidc-test/ and our automated tests running in our pipeline, i'm ready to say this is ready for final review before promoting to stable.
the outstanding issues in the initial PR description have been updated to remain accurate and are beyond the scope of what i think should hold this PR back from being merged
this should be merged with a normal merge rather than being squashed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @travi 👍🏾
Ready when you're ready... Let's go!
Just curious though... I see the Pattern where we're doing some things to orchestrate the OIDC session with the specific CI i.e. (GitHub Actions and GitLab Pipelines)... Is this the kinda pattern we get to follow if we want to support OIDC in other CI environments?? 🤔
Uh oh!
There was an error while loading. Please reload this page.
todo before merging
outstanding issues after this effort
(削除) add-channel will fail because of lack of OIDC support (削除ここまで)this appears to no longer be true (update: maybe still not fully in the clear, with limited cases hitting issues that are on the registry side)