Commit 4e6e2bc
committed
security(release): drop .npmrc NPM_TOKEN write, rely on npm trusted publishing
The previous publish flow wrote a static `_authToken` from the
`NPM_TOKEN` secret into `~/.npmrc` before invoking `pnpm publish`. On
pnpm < 11.0.7 a configured `_authToken` takes precedence over OIDC
trusted publishing, so even though all `@rspack/*` packages have a
trusted publisher binding configured on npmjs.com, releases were still
authenticating with a long-lived token. The static-credential surface
is exactly what enables the TanStack 2026-05-11-style attack: anything
that runs in the `npm`/`npm-canary` environment can exfiltrate
`process.env.NPM_TOKEN` and publish arbitrary versions.
Deleting the `.npmrc` write makes OIDC the only auth path. `pnpm
publish` now mints a per-run token via the workflow's `id-token: write`
permission and authenticates against the trusted publisher binding
configured on npmjs.com.
Provenance (`--provenance` flag) is unaffected; it was already using
OIDC for signing and is independent of publish auth.
After merge, the `NPM_TOKEN` secret in the `npm` and `npm-canary`
GitHub environments has no remaining consumer and should be removed
from environment secrets to fully retire the credential.1 parent 259b48a commit 4e6e2bc
1 file changed
Lines changed: 0 additions & 12 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
14 | 13 | | |
15 | 14 | | |
16 | 15 | | |
| |||
26 | 25 | | |
27 | 26 | | |
28 | 27 | | |
29 | | - | |
30 | | - | |
31 | | - | |
32 | | - | |
33 | | - | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | 28 | | |
41 | 29 | | |
42 | 30 | | |
| |||
0 commit comments