package-template Change to npm trusted publish by default

Use env to set npm token is not safe, see https://socket.dev/blog/nx-packages-compromised

https://docs.npmjs.com/trusted-publishers

Aug 28 '25 04:08 fengmk2

There is a chicken and egg problem here. npm needs to have a package before it can be changed to trusted publish. 😭

Aug 28 '25 15:08 fengmk2

https://github.com/napi-rs/package-template/blob/2bfe928222f7d6acb6f3ed2e6d091fb3ca4bd67e/.github/workflows/CI.yml#L339-L341

I would also argue that the contents: write permissions is not needed if the job does not upload any release assets. According to napi-rs CLI docs this is turned on by default.

I would recommend some explanatory comments about why each permission is explicitly needed.

  permissions:
    # permission needed to create/alter a GitHub Release.
    # If `--no-gh-release` is passed to `napi prepublish` CLI command:
    #   Use `contents: null`; `read` permission is not needed.
    #   See package.json `scripts.prepublishOnly` for project usage/needs
    # Otherwise, the `GITHUB_TOKEN` env var is used to
    # 1. Create a new GitHub Release (if none exists for the pushed tag).
    # 2. Upload the native modules (*.node files) as release assets.
    contents: write
    # permission needed to either
    # - employ [trusted publishing](https://docs.npmjs.com/trusted-publishers)
    # - upload attestations via `npm publish --provenance` (using an npm token)
    id-token: write

It would be even better, security-wise, if jobs did not inherit default permissions (at global scope of yaml workflow):

permissions: {}

Nov 10 '25 01:11 2bndy5

Just noticed a typo in the title: "bey" is supposed to be "by".

Nov 18 '25 22:11 2bndy5

I am trying to get trusted publishing to work with the napi template - but got stuck: https://github.com/basetenlabs/truss/blob/a3d1c90d6c31f5143974b25456116df288d6dd39/.github/workflows/baseten-performance-client-nodejs.yml

Have you figured it out yet?

Dec 19 '25 05:12 michaelfeil

but got stuck: https://github.com/basetenlabs/truss/blob/a3d1c90d6c31f5143974b25456116df288d6dd39/.github/workflows/baseten-performance-client-nodejs.yml

The link you posted does not describe how you "got stuck." To get actual help, you should disclose more detail. What did you CI logs say?

Have you figured it out yet?

Yeah, its pretty straight forward. Once you have published packages (must be done first), go to npmjs.com and enable trusted publishing for each package (including the platform-specific packages). Once that is done, your CI workflow doesn't need the token anymore, and you should set permissions: { id-token: write }. See also my comment about contents permission.

Dec 19 '25 20:12 2bndy5

Correct, that would have helped. Actually fixed is.

The problem is very napi specific.

The prepublish does not work with OICD. Solution is to disable scripts for the publish command.

Dec 19 '25 23:12 michaelfeil

The prepublish does not work with OICD. Solution is to disable scripts for the publish command.

I have not experienced this problem. And I've painlessly transitioned to trusted publishing for a couple napi-rs based npm projects. Your problem might be specific to napi-rs/cli@v2, whereas my projects have migrated to napi-rs/cli@v3. But again, you have not provided any detail about this alleged problem.

Dec 20 '25 01:12 2bndy5

@2bndy5 Thanks! Do you have a project, would love to copy the ci.

Dec 20 '25 05:12 michaelfeil

The simplest project I can recommend is 2bndy5/mk-pass. It's kind of like my personal template for any rust-based project with a CLI and library bindings using pyo3, napi, and cbindgen.

Dec 20 '25 06:12 2bndy5