vercel[bot]
commented
2 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated (UTC) |
|---|---|---|---|
| kysely | ✅ Ready (Inspect) | Visit Preview | May 3, 2024 2:19pm |
Closed igalklebanov closed 2 months ago
vercel[bot]
commented
2 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated (UTC) |
|---|---|---|---|
| kysely | ✅ Ready (Inspect) | Visit Preview | May 3, 2024 2:19pm |
koskimas
commented
2 months ago Adding NPM tokens to github seems too risky. Any member of kysely-org has access to them.
koskimas
commented
2 months ago Yeah, we just shouldn't do this after all. Publishing from actions is a bad idea. Any bad actor can way too easily publish malicious code.
Hey 👋
To add trust, we can follow 1 & 2 and publish to NPM with provenance. This requires the next versions to be published using this Github Actions workflow instead of local invocation of
npm publish, and addingNPM_TOKENto this repository's secrets on GitHub.Now sure how I feel about the recommended snippet having an on release created trigger.