Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow intended to unpublish @stellar/stellar-sdk@15.0.0 from npm.
Changes:
- Introduces a new
.github/workflows/unpublish.ymlworkflow. - Configures Node.js 20 + upgrades npm, then runs
npm unpublishfor a specific package/version.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| pull_request: | ||
|
|
There was a problem hiding this comment.
Running an npm unpublish workflow on every pull_request event is high-risk: if this lands on the default branch it will attempt to unpublish the package whenever any PR is opened/updated. This should be a manually-invoked workflow (e.g., workflow_dispatch) with explicit inputs (package/version) and (optionally) an environment requiring approvals.
| pull_request: | ||
|
|
||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
|
|
||
| jobs: | ||
| unpublish: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Granting id-token: write to a PR-triggered workflow is unsafe (OIDC tokens can be requested by code in the workflow run). Apply least privilege by removing this permission for PR events, or move the workflow to workflow_dispatch + protected environment and only grant id-token: write at the job level when needed.
| pull_request: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| unpublish: | |
| runs-on: ubuntu-latest | |
| workflow_dispatch: | |
| jobs: | |
| unpublish: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read |
| @@ -0,0 +1,24 @@ | |||
| name: Unpublish v15.0.0 | |||
There was a problem hiding this comment.
The workflow hard-codes the version (both in the workflow name and the unpublish command). This makes reuse/error-prone updates likely; prefer workflow_dispatch inputs (or env vars) for package name and version so the same workflow can be safely reused without code changes.
| - name: Unpublish @stellar/stellar-sdk@15.0.0 | ||
| run: npm unpublish @stellar/stellar-sdk@15.0.0 --provenance |
There was a problem hiding this comment.
The unpublish target is hard-coded and there is no guardrail (confirmation, allowlist, or restricted branch/ref) to prevent unpublishing the wrong package/version. Consider adding validation (e.g., only allow a specific scoped package, require explicit input match, and/or restrict execution to the default branch under a protected environment).
|
Size Change: 0 B Total Size: 45.4 MB ℹ️ View Unchanged
|
No description provided.