Skip to content

ci: use trusted publishing to publish our package #906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crazy-max merged 2 commits into from
Dec 18, 2025
Merged

ci: use trusted publishing to publish our package #906

crazy-max merged 2 commits into from
Dec 18, 2025

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Dec 18, 2025

relates to https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/

https://github.com/docker/actions-toolkit/actions/runs/20333326955/job/58415637490#step:3:732

#12 45.12 npm notice unpacked size: 695.4 kB
#12 45.12 npm notice shasum: 86bf5c9e1ece9664de350294423ed865f233d17c
#12 45.12 npm notice integrity: sha512-o1CDEMipEF6wY[...]x7pfBlvGXYW5g==
#12 45.12 npm notice total files: 201
#12 45.12 npm notice
#12 45.12 npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
#12 45.71 npm notice Access token expired or revoked. Please try logging in again.
#12 45.72 npm error code E404
#12 45.72 npm error 404 Not Found - PUT https://registry.npmjs.org/@docker%2factions-toolkit - Not found
#12 45.72 npm error 404
#12 45.72 npm error 404  '@docker/actions-toolkit@0.70.0' is not in this registry.
#12 45.72 npm error 404
#12 45.72 npm error 404 Note that you can also install from a
#12 45.72 npm error 404 tarball, folder, http url, or git url.

Use Trusted publishing to publish our npm package using GitHub OIDC token. Also generate provenance attestation.

@crazy-max
ci: use trusted publishing to publish our npm package
2ea2c9d 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max
ci(publish): generate provenance attestation
1ded416 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max marked this pull request as ready for review December 18, 2025 12:04
@crazy-max crazy-max merged commit 5172be8 into docker:main Dec 18, 2025
196 of 199 checks passed
@crazy-max crazy-max deleted the npm-publish branch December 18, 2025 12:05
@crazy-max crazy-max mentioned this pull request Jan 8, 2026
Closed
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crazy-max