lumjjb
commented
2 years ago I think what you say is true for some scenarios. I do think that this is a little more nuanced, depending on the use cases and environment/setup.
Having strong authentication (including 2fa) and tightly scoped tokens implemented for the request of the release pipeline would provide a similar (and if some cases, stronger - by allowing de-privileging builders) trust model.
However, I do agree that there is definitely a nice QOL in being able to take a look of the release that comes out before finalization it. I think there is a place for it.
Depending on how the api around CI releasing is done, I think generalizing it as "less secure" is a bit too strong of a statement.
jeffmendoza
Automation publish tokens are explicitly one-factor, which imo is less secure than publishing directly from a dev's laptop.
If npm supported staged builds, then publishing a staged build from CI, and then a human using 2FA locally to "promote" it, would be the most secure way to publish - but lacking that, the best I think we can get is using CI to generate a tagged release commit, and then having a publisher locally download it, run
npm installornpm ci, andnpm publish.