Skip to content

Add staged OIDC publish workflow #524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
patocallaghan merged 4 commits into from
Jun 23, 2026
+93 −1
Merged

Add staged OIDC publish workflow #524

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
39b37d3
Add staged OIDC publish workflow
patocallaghan Jun 12, 2026
ea92a5d
Pin stage-publish to the ancestry-checked SHA (close TOCTOU window)
patocallaghan Jun 17, 2026
79e3ae3
Bump actions/checkout to v7.0.0
patocallaghan Jun 23, 2026
7083ed5
Fix Node-floor comment and add verify timeout
patocallaghan Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .fernignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@
LICENSE
REPO_OWNER
tests/integration
.github/workflows/ci.yml
.github/workflows/ci.yml
.github/workflows/publish.yml
91 changes: 91 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# Release workflow for intercom-client.
#
# Publishing model: OIDC trusted publishing + npm staged publishing. CI authenticates to
# npm with a short-lived OIDC token (no stored npm token) and stages the release; a
# maintainer then promotes it from the npm staging area with 2FA. Replaces token-based publishing.
#
# Listed in .fernignore so it is not overwritten by code generation.
name: Publish (staged)

on:
release:
types: [published] # cutting a Release creates the tag AND fires this

permissions:
contents: read # workflow default (least privilege); only stage-publish also needs id-token, granted on that job

concurrency:
group: publish-${{ github.workflow }} # serialize publishes; no dist-tag races
cancel-in-progress: false # queue, don't kill an in-flight publish

jobs:
verify:
runs-on: ubuntu-latest
timeout-minutes: 5 # backstop a hung step (checkout/guards only; no install/build)
outputs:
sha: ${{ steps.resolve.outputs.sha }} # ancestry-checked commit, pinned for downstream
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
fetch-depth: 0 # full history for the ancestry check below
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22' # staged publishing needs Node >= 22.14.0 (npm >= 11.15.0); repo has no .nvmrc
package-manager-cache: false # release-triggered: disable auto-cache (zizmor cache-poisoning)
- name: Assert Release tag matches package.json version
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
PKG="$(node -p "require('./package.json').version")"
[ "${RELEASE_TAG#v}" = "$PKG" ] || { echo "tag $RELEASE_TAG != package.json v$PKG"; exit 1; }
- name: Refuse releases not on the default branch
id: resolve
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
run: |
git merge-base --is-ancestor "$GITHUB_SHA" "origin/$DEFAULT_BRANCH" \

@VedranZoricic VedranZoricic Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirm on the first real release (fails closed, so safe): this ancestry gate needs origin/$DEFAULT_BRANCH to resolve. actions/checkout with fetch-depth: 0 does populate refs/remotes/origin/*, so it should be fine — but if it ever isn't, every publish blocks here rather than failing open, so worth eyeballing this step in the first run's log.

|| { echo "release $RELEASE_TAG not reachable from $DEFAULT_BRANCH — refusing"; exit 1; }
echo "sha=$GITHUB_SHA" >> "$GITHUB_OUTPUT" # downstream checks out this exact SHA, not the mutable tag

stage-publish:
needs: verify
runs-on: ubuntu-latest
timeout-minutes: 15 # cap a hung publish
permissions:
contents: read
id-token: write # OIDC trusted publishing: only this job mints the token
Comment thread
patocallaghan marked this conversation as resolved.
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
ref: ${{ needs.verify.outputs.sha }} # the ancestry-checked SHA, immune to tag re-pointing (TOCTOU)
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false
- run: corepack enable
- run: pnpm install --frozen-lockfile
- run: pnpm run build # mandatory: dist/ is gitignored, so the published artifact is built here
- run: npm install -g npm@11.15.0 # npm CLI: staged publishing needs npm >= 11.15.0
- name: Resolve dist-tag (a prerelease must never go to `latest`)
id: disttag
env:
ALPHA_TAG: alpha
BETA_TAG: beta
PRERELEASE_TAG: next
run: |
VERSION="$(node -p "require('./package.json').version")"
case "$VERSION" in
*-alpha.*) TAG="$ALPHA_TAG" ;;
*-beta.*) TAG="$BETA_TAG" ;;
*-*) TAG="$PRERELEASE_TAG" ;;
*) TAG="latest" ;;
esac
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
- name: Stage publish
env:
DIST_TAG: ${{ steps.disttag.outputs.tag }}
run: npm stage publish --tag "$DIST_TAG"