Closed bensternthal closed 11 months ago
Docs look generally good. I am wondering for the secure releases, there is still some contention I think between "publish locally" which is what this doc goes over primarily and "publish from ci". Would it be good to call that out in here? And maybe have a section about securely publishing from CI?
Ideally I would say that for a secure CI publish you would have the following:
There are some systems which also add on user provenance information to these types of setups, but I would guess it is better to start with limited opinions and build from there?
A granular access token on npm simply isn't secure, because it's a single factor, so I don't think it should be referenced here except as something to avoid.
Additionally, "provenance" tells you nothing except which workflow published the package, so I think it's premature to recommend it as a "security" practice.
Yeah I see where you are coming from, I am not claiming it is perfect or even "great", but I think it will be something end users ask, and ideally anything is better than nothing if they go off and do some CI publish that is even further from a recommended path. Anyway, Not super opinionated here, just a gap I noticed.
Resolving as discussion concluded, comments will be integrated into doc by @ljharb
Jordan has made updates to two more docs, let's discuss and provide feedback: