Skip to content

Conversation

ryanbas21
Copy link
Collaborator

@ryanbas21 ryanbas21 commented Sep 23, 2025

JIRA Ticket

N/A

Description

From a security perspective, we should leverage the npm trusted publishers instead of NPM tokens. This enforces publishes come from a pipeline and not anywhere else.

This also removes the use of tokens from the pipeline because there is a trusted setup between the package (on npm) and the pipeline.

A package must be published first before this can be setup, so in order to publish the package first, we should publish a beta (can do it in ci or locally).

@cerebrl to review this, please go through the packages on npm and verify you see the trusted publishers setup with the correct github repository & the correct workflow file (publish.yml)

because we can only have 1 workflow defined as "trusted" this breaks our old "snapshot.yml".

to ensure this functionality, we have the snapshot.yml "call" the publish.yml, but a different job.

the publish-or-pr job should remain unchanged.

the publish.yml should have a trusted publish job that is specifically allowing itself to be called from another workflow (snapshot.yml) so the publish still occurs from the trusted workflow.

we can also remove tokens from this workflow.

Summary by CodeRabbit

  • Chores
    • Reworked CI to consolidate publishing into a reusable, callable trusted-publish workflow that centralizes build, test, and publish steps.
    • Streamlined inputs, reduced permissions, and moved to OIDC-style provenance to improve security and maintainability.
    • Simplified snapshot flow to call the trusted publish path and standardized beta dist-tag and deployment targets.
  • Notes
    • No user-facing behavior changes.

Copy link

changeset-bot bot commented Sep 23, 2025

⚠️ No Changeset found

Latest commit: 105551a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

coderabbitai bot commented Sep 23, 2025

Walkthrough

Introduce a callable publish workflow with inputs and a reusable trusted-publish job; remove inline npm auth/env and per-registry publish steps; simplify snapshot workflow to call the publish workflow (passing beta prerelease/tag/access) and reduce workflow permissions.

Changes

Cohort / File(s) Summary of changes
Publish workflow (callable + trusted job)
.github/workflows/publish.yml
Added workflow_call inputs: branch, dist_tag, prerelease, access. Removed global NPM_ACCESS_TOKEN and many inline envs. Added guard so publish-or-pr runs only on push. Consolidated permissions (including id-token for provenance). Replaced comment block with direct nx-cloud start-ci-run call. Introduced reusable trusted-publish job (checkout, pnpm/node setup, install, nx distribution, Playwright cache/install, SHAs/pnpm config, nx run-many build/test/e2e-ci, report upload, prerelease/version steps, and final publish using dist-tag/access). Adjusted API docs target-folder to deploy to beta folder and aligned baseline bundle-size logic into the new flow.
Snapshot workflow now invokes publish
.github/workflows/snapshot.yml
Replaced in-repo multi-step publish with a call-trusted-publish job that calls ./.github/workflows/publish.yml via workflow_call, passing branch, dist_tag: beta, prerelease: beta, access: public. Removed registry input and many inline setup/build/test/publish steps. Reduced permissions to a minimal set and inherit secrets.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Developer
  participant SnapshotWF as snapshot.yml
  participant PublishWF as publish.yml (workflow_call)
  participant TrustedJob as trusted-publish
  participant Registry as npm Registry

  Developer->>SnapshotWF: trigger (workflow_dispatch / push)
  SnapshotWF->>PublishWF: workflow_call(inputs: branch, dist_tag=beta, prerelease=beta, access=public)
  PublishWF->>TrustedJob: invoke trusted-publish job
  TrustedJob->>TrustedJob: checkout -> setup pnpm/node -> install -> nx start-ci-run -> build/test/e2e
  TrustedJob->>Registry: pnpm publish (dist-tag/access)
  Registry-->>TrustedJob: publish result
  TrustedJob-->>PublishWF: job result
  PublishWF-->>SnapshotWF: finished
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I hopped through workflows, neat and keen,
Replaced long steps with a callable scene.
One trusted path, beta flags in tow,
Tokens trimmed down, releases flow.
—🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title "ci: use-trusted-publishers" is concise and accurately summarizes the primary change in this PR — switching CI publishing to npm trusted publishers and removing NPM token usage — which matches the modifications to publish.yml and snapshot.yml. It is short, specific to CI, and meaningful for reviewers scanning the commit history.
Description Check ✅ Passed The pull request description includes the required template sections (JIRA Ticket set to N/A and a detailed Description) and explains the rationale, implementation (trusted publishers, publish.yml and snapshot.yml changes), and reviewer verification steps, making it actionable for reviewers. It does not explicitly state whether a changeset was added, but that omission is non-critical given the thorough explanation of intent and required verification.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch use-trusted-publishers

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link

nx-cloud bot commented Sep 23, 2025

View your CI Pipeline Execution ↗ for commit 105551a

Command Status Duration Result
nx run-many -t build ✅ Succeeded <1s View ↗
nx affected -t build typecheck lint test e2e-ci ✅ Succeeded 4m 27s View ↗
nx-cloud record -- nx format:check ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2025-09-23 21:19:12 UTC

@codecov-commenter
Copy link

codecov-commenter commented Sep 23, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.63%. Comparing base (4fbb22c) to head (105551a).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #418   +/-   ##
=======================================
  Coverage   55.63%   55.63%           
=======================================
  Files          32       32           
  Lines        2051     2051           
  Branches      344      344           
=======================================
  Hits         1141     1141           
  Misses        910      910           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copy link
Contributor

github-actions bot commented Sep 23, 2025

Deployed 65ee3f2 to https://ForgeRock.github.io/ping-javascript-sdk/pr-418/65ee3f2cb3df2b6a72c82b370b3f56d41d71510d branch gh-pages in ForgeRock/ping-javascript-sdk

Copy link
Contributor

github-actions bot commented Sep 23, 2025

📦 Bundle Size Analysis

📦 Bundle Size Analysis

➖ No Changes

@forgerock/davinci-client - 34.2 KB
@forgerock/sdk-utilities - 4.0 KB
@forgerock/device-client - 9.2 KB
@forgerock/sdk-types - 5.9 KB
@forgerock/protect - 150.1 KB
@forgerock/sdk-oidc - 2.7 KB
@forgerock/sdk-logger - 1.6 KB
@forgerock/storage - 1.4 KB
@forgerock/sdk-request-middleware - 4.4 KB
@forgerock/iframe-manager - 2.4 KB
@forgerock/oidc-client - 23.1 KB


11 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated
  • Current Size: Total gzipped size of all files in the package's dist directory
  • Baseline: Comparison against the latest build from the main branch
  • Files included: All build outputs except source maps and TypeScript build cache
  • Exclusions: .map, .tsbuildinfo, and .d.ts.map files

🔄 Updated automatically on each push to this PR

@ryanbas21 ryanbas21 force-pushed the use-trusted-publishers branch from 3624e4d to 732afa8 Compare September 23, 2025 20:16
branches:
- main
# allow other workflows to call this one (for snapshots)
workflow_call:
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is to allow snapshot.yml to call this workflow file.

jobs:
# --- your existing release job: leave unchanged ---
publish-or-pr:
if: github.event_name == 'push'
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make sure this is only on push.

@ryanbas21 ryanbas21 force-pushed the use-trusted-publishers branch from 732afa8 to 94c3219 Compare September 23, 2025 20:19
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/publish.yml (2)

164-168: Tighten permissions for the trusted-publish job.

Minimize to what’s needed for npm OIDC and artifact upload; drop issues/pull-requests unless you use them here.

Apply this diff:

     permissions:
-      contents: write # read+write repo (okay for artifacts/logs)
+      contents: read
       id-token: write # REQUIRED: OIDC for npm Trusted Publishers
-      issues: write
-      pull-requests: write

215-219: GH_TOKEN is unnecessary for local snapshot versioning.

This step doesn’t push or create PRs; you can remove the token.

-      - name: Version Packages as prerelease
-        run: pnpm changeset version --snapshot ${{ inputs.prerelease }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Version Packages as prerelease
+        run: pnpm changeset version --snapshot ${{ inputs.prerelease }}
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3624e4d and 94c3219.

📒 Files selected for processing (2)
  • .github/workflows/publish.yml (2 hunks)
  • .github/workflows/snapshot.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: pr
🔇 Additional comments (4)
.github/workflows/publish.yml (3)

6-8: LGTM: Exposing this workflow via workflow_call is appropriate for snapshots.


40-46: LGTM: Guarding publish-or-pr to only run on push meets the “push-only” requirement.


176-183: Provenance support verified — .node-version = 22 (Node 22 / npm ≥10)

.node-version contains "22"; workflows use actions/setup-node@v4 with node-version-file '.node-version' and no custom npm invocation was found.

.github/workflows/snapshot.yml (1)

20-24: LGTM: Permissions include id-token for npm OIDC.

These are appropriate for the reusable publish.

Comment on lines +221 to +222
- name: Publish packages with dist-tag
run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add npm provenance to enable Trusted Publishers (OIDC) auth.

Without provenance, npm will expect a token and the publish will likely fail under Trusted Publishers.

Apply this diff:

-      - name: Publish packages with dist-tag
-        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }}
+      - name: Publish packages with dist-tag
+        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }} --provenance

Optionally, reinforce via env (not required if flag is present):

-      - name: Publish packages with dist-tag
+      - name: Publish packages with dist-tag
         run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }} --provenance
+        env:
+          NPM_CONFIG_PROVENANCE: 'true'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Publish packages with dist-tag
run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }}
- name: Publish packages with dist-tag
run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }} --provenance
env:
NPM_CONFIG_PROVENANCE: 'true'
🤖 Prompt for AI Agents
.github/workflows/publish.yml around lines 221-222: the pnpm publish command
lacks npm provenance which is required for Trusted Publishers (OIDC) flows; add
the --provenance flag to the pnpm publish invocation so npm will use provenance
instead of expecting a token, and optionally set an env var to reinforce this
(for example export NPM_CONFIG_ENABLE_OIDC=true or NPM_ENABLE_PROVENANCE=true)
before the publish step.

@ryanbas21 ryanbas21 force-pushed the use-trusted-publishers branch from 94c3219 to 105551a Compare September 23, 2025 21:13
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/publish.yml (1)

90-104: Enable provenance for publish steps

ci:release runs pnpm publish -r --no-git-checks (package.json:18) and there's a direct pnpm publish -r ... in .github/workflows/publish.yml (line 222); neither passes --provenance. Add --provenance (or set NPM_CONFIG_PROVENANCE=true in the workflow/env) to those publish invocations and ensure OIDC/id-token or a valid token is available for provenance upload (workflow already requests id-token write).

🧹 Nitpick comments (2)
.github/workflows/publish.yml (1)

159-168: Tighten permissions for the reusable trusted publish job.
This job doesn’t modify PRs or issues; contents write is likely unnecessary. Keep id-token: write.

Apply:

   trusted-publish:
     if: ${{ github.event_name == 'workflow_call' }}
     name: Trusted Snapshot Publish
     permissions:
-      contents: write # read+write repo (okay for artifacts/logs)
-      id-token: write # REQUIRED: OIDC for npm Trusted Publishers
-      issues: write
-      pull-requests: write
+      contents: read
+      id-token: write # REQUIRED: OIDC for npm Trusted Publishers
.github/workflows/snapshot.yml (1)

21-26: Secrets inheritance present; permissions can likely be reduced or omitted.
Called workflow defines its own permissions; the caller’s permissions aren’t required.

Apply:

   call-trusted-publish:
     name: Call trusted publish (beta dist-tag)
     uses: ./.github/workflows/publish.yml
     with:
       branch: ${{ inputs.branch }}
       dist_tag: beta
       prerelease: beta
       access: public
-    permissions:
-      contents: write
-      id-token: write
-      issues: write
-      pull-requests: write
     secrets: inherit
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94c3219 and 105551a.

📒 Files selected for processing (2)
  • .github/workflows/publish.yml (2 hunks)
  • .github/workflows/snapshot.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: pr
🔇 Additional comments (6)
.github/workflows/publish.yml (5)

6-8: Allowing workflow_call is correct for trusted publisher delegation.
Matches the snapshot wrapper design.


40-40: Push-only guard added.
This satisfies the prior request to ensure this job runs only on push.


134-142: Beta docs target-folder is correct.
Keeps snapshot docs isolated under beta/.


221-222: Add npm provenance for Trusted Publishers (OIDC) auth.
Without provenance, npm will expect a token and publish will fail.

Apply:

-      - name: Publish packages with dist-tag
-        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }}
+      - name: Publish packages with dist-tag
+        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }} --provenance
+        env:
+          NPM_CONFIG_PROVENANCE: 'true'

176-183: OK — workflow already meets provenance requirements. .node-version = 22 and package.json declares packageManager: [email protected], which satisfies Node 20+ (npm >= 9.5) and pnpm >= 8.6 — no changes required.

.github/workflows/snapshot.yml (1)

12-19: Snapshot workflow correctly delegates to the reusable publish.
Inputs (branch, beta dist-tag/prerelease, public access) look right.

@ryanbas21 ryanbas21 merged commit 909ce5c into main Sep 23, 2025
4 checks passed
@ryanbas21 ryanbas21 deleted the use-trusted-publishers branch September 23, 2025 21:38
@coderabbitai coderabbitai bot mentioned this pull request Oct 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants