Closed igalklebanov closed 2 months ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Updated (UTC) |
---|---|---|---|
kysely | ✅ Ready (Inspect) | Visit Preview | May 3, 2024 2:19pm |
Adding NPM tokens to github seems too risky. Any member of kysely-org has access to them.
Yeah, we just shouldn't do this after all. Publishing from actions is a bad idea. Any bad actor can way too easily publish malicious code.
Hey 👋
To add trust, we can follow 1 & 2 and publish to NPM with provenance. This requires the next versions to be published using this Github Actions workflow instead of local invocation of
npm publish
, and addingNPM_TOKEN
to this repository's secrets on GitHub.Now sure how I feel about the recommended snippet having an on release created trigger.