usfm-grammar icon indicating copy to clipboard operation
usfm-grammar copied to clipboard
verified publisher icon Bridgeconn

Switch to trusted publishing intead of token based auth in pypi and npm workflows

Open kavitharaju opened this issue 2 months ago • 1 comments

  • https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
  • https://docs.npmjs.com/trusted-publishers
  • https://docs.github.com/en/actions/concepts/security/openid-connect#adding-permissions-settings

This requires setting up repo and the github actions files in the npm and pypi accounts and adding below permission to the workflows

permissions:
  id-token: write  # Required for OIDC

kavitharaju avatar Oct 22 '25 06:10 kavitharaju

Also, if you could switch out the tree-sitter dependency with the new actively maintained tree-sitter. I think it is backwards compatible but doesn't throw a critical security error. Don't think it should be an issue with the way it's being used but should be an easy fix if backwards compatible.

maxwhipw avatar Nov 10 '25 08:11 maxwhipw