Skip to content

Maintenance: Add registry-url to setup-node steps to fix Scorecard packaging check #4538

New issue
New issue
Closed
#4539
Closed
Maintenance: Add registry-url to setup-node steps to fix Scorecard packaging check#4538
#4539
Assignees
shrivarshapoojari
Labels
automationThis item relates to automationconfirmedThe scope is clear, ready for implementationgood-first-issueSomething that is suitable for those who want to start contributinghelp-wantedWe would really appreciate some support from community for this one
@dreamorosi

Description

@dreamorosi
dreamorosi
opened on Sep 23, 2025

Summary

The OSSF Scorecard packaging check is currently failing with an "inconclusive" result (-1 score) because our GitHub Actions workflows don't match the expected pattern for NPM publishing workflows. While our workflows correctly publish packages to NPM, they use npm set to configure the registry instead of the registry-url parameter that Scorecard specifically looks for.

Why is this needed?

We use OSSF Scorecard to continuously evaluate our project against various security practices. Our current packaging check failure affects our overall security score and may impact user confidence in the project's security posture.

After reviewing the scorecard repo, the packaging check specifically looks for:

  1. actions/setup-node with registry-url: 'https://registry.npmjs.org'
  2. An npm.*publish command

We have #2 but are missing #1. The check's pattern matching is rigid and doesn't recognize our current authentication method using npm set.

Solution

Add the registry-url: 'https://registry.npmjs.org' parameter to the actions/setup-node steps in:

  • .github/workflows/make-release.yml
  • .github/workflows/publish-package.yml

Example change:

- name: Setup NodeJS
  uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
  with:
    node-version: "22"
    cache: "npm"
    registry-url: 'https://registry.npmjs.org'  # Add this line

This change is purely additive and won't affect the existing npm set authentication method. It will allow Scorecard to properly detect our packaging workflow and improve our security score.

While we're at it, let's also update the OSSF Scorecard badge url in the main README file to use this link: https://scorecard.dev/viewer/?uri=github.com/aws-powertools/powertools-lambda-typescript

Right now it uses a JSON link that it's pretty hard to parse, but this rendered one is better.

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.

Metadata

Metadata

Assignees

Labels

automationThis item relates to automationconfirmedThe scope is clear, ready for implementationgood-first-issueSomething that is suitable for those who want to start contributinghelp-wantedWe would really appreciate some support from community for this one

Type

No type

Projects

Powertools for AWS Lambda (TypeScript)

Status

Coming soon

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions