i0x0
commented
2 years ago 
Closed i0x0 closed 1 year ago
i0x0
commented
2 years ago
qgustavor
commented
2 years ago That's true. I need to migrate the current publishing workflow to something more straightforward, probably this: https://pr-release.org/
I will publish 1.0.8 right now. Leave this issue open, it will keep track the migration to pr-release.
Edit: 1.0.8 was published. I will migrate this repository to use pr-release to avoid this issue repeating again when I have time.
qgustavor
commented
2 years ago I'll keep this issue open until this or this get sorted soon. Since npm is already famous for its supply chain attacks and since it's recommended to always use latest pr-release while providing it a way too broad token I think pr-release can wait a while.
Maybe I can implement a simpler CI workflow like this one in the meanwhile.
Edit: Renamed the issue to make more clear why it's still open.
qgustavor
commented
2 years ago GitHub now supports fine-grained personal access tokens. Looks like there are plans for npm supporting it too. As soon both supports this feature I will implement pr-release without having to worry too much about potential supply chain attacks.
qgustavor
commented
1 year ago Granular access tokens are finally available in npm. Now it's possible to use pr-release quite safely. I'll work on that.
qgustavor
commented
1 year ago I just finished implementing pr-release. I hope everything went well.