|
|
|
|
|
|
by mnahkies
228 days ago
|
|
|
Tbf the new trusted publishers goes a long way to improving this (not used by this package by the look of it). I migrated a few of my packages to it, and now: - publishing with an API token is forbidden, must use the specified workflow w/ OIDC auth - an explicit approval step in GitHub is required to run the publish workflow (you can also set a time delay, similar to time release safes) - provenance is generated and published Ref: https://docs.npmjs.com/trusted-publishers/ |
|
|