webref icon indicating copy to clipboard operation
webref copied to clipboard
verified publisher icon w3c

Make NPM_TOKEN optional for package release

Open tidoust opened this issue 2 weeks ago • 1 comments

Classic tokens are no longer supported by npm. We may still want to run the release script from a local machine using a fine-grained access token, but these tokens expire after 90 days at most and are thus not suitable for our release process.

I set up OpenID Connect between the 4 @webref/* packages in npm and GitHub Actions and dropped the former NPM_TOKEN secret. This update adjusts the release script not to fail if such a token cannot be found. The call to npmPublish gets adjusted accordingly only to pass the token if it exists.

That should close #1739.

tidoust avatar Dec 10 '25 16:12 tidoust

is there anything to document about potential renewal/update to the OpenID connection? is that linked to your NPM account specifically?

No, "Trusted Publishers" settings are tied to each package, for example: https://www.npmjs.com/package/@webref/css/access. All package admins should have access to these settings.

The npm documentation you mentioned in #1739 is pretty straightforward. (It's so straightforward it's suspicious, I probably missed something ;))

It still seems valuable to add a comment in the code to explain that there are pre-requisites and point at the documentation. Will do that.

tidoust avatar Dec 10 '25 18:12 tidoust

Oh... I merged https://github.com/w3c/webref/pull/1736 but https://github.com/w3c/webref/actions/runs/20142389583 failed. When this is merged, how can we make that release happen?

foolip avatar Dec 11 '25 17:12 foolip

Ah, I should have annotated the package release pull requests to note that they were being blocked on the migration away from NPM tokens.

We can just ignore PR #1736 that you merged. It just bumped the patch version in packages/idl/package.json, not a big deal if the version number in that file does not map to an existing package. Tooling simply created a new PR #1746. Merging it will release the IDL updates.

We should just look at filter-effects first. We had a "freeze" patch for this one because the draft spec was broken, but the spec just moved to the w3c/csswg-drafts repository, and the patch is either no longer needed or no longer does what it should.

I'll look into this and hopefully release a new version of @webref/idl later today.

tidoust avatar Dec 12 '25 06:12 tidoust