docs(release): update npm publish flow for the post-Dec-2025 token model#38
Merged
Merged
Conversation
The "Publish-only automation token" guidance in the v1.0.0 release checklist was based on npmjs.com's pre-Dec-2025 auth model. Since the December 9, 2025 changes (classic tokens permanently revoked, session-based login with ~2-hour expiry, granular tokens the only option for browser-generated publish tokens), that type no longer exists. Replaces the stale "Add a NPM_TOKEN automation token" section with two current options: - OIDC Trusted Publishing (recommended): GitHub Actions exchanges its OIDC token for a one-hour publish token scoped to the nodeup-cli package. No GitHub secret, no rotation, no leak surface. Per-package config in the npm package's "Trusted Publisher" UI. - Granular access token as NPM_TOKEN: browser-only flow (npm doesn't yet support granular-token creation via the CLI), 90-day max expiry, package-scoped, optional bypass_2fa. Use this if publishing from non-GitHub CI or if you want a human-readable audit trail of which token published which version. Also tightens the 2FA and npm login sections to mention the new session-token-with-2h-expiry behavior and to require an authenticator-app (TOTP) factor explicitly. Refs #35. Co-Authored-By: Sonnet 4.6 <noreply@puku.sh>
|
✔️ 976327f - Conventional commits check succeeded. |
This was referenced Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a real bug in the v1.0.0 release checklist: the "automation
token" guidance was based on npmjs.com's pre-Dec-2025 auth model.
Since the December 9, 2025 changes (classic tokens permanently
revoked, session-based login, granular tokens the only option for
browser-generated publish tokens), that token type does not
exist anymore. The current docs would have sent the user to a
token-type dropdown that isn't there.
Replaces the stale section with two current options:
exchanges its built-in OIDC token for a one-hour publish token
scoped to the
nodeup-clipackage. No GitHub secret to createor rotate, no token to leak, per-package config in the npm
package's "Trusted Publisher" UI.
NPM_TOKEN— browser-only flow(npm doesn't yet support granular-token creation via the CLI),
90-day max expiry, package-scoped, optional
bypass_2faforunattended CI. Use this if you publish from non-GitHub CI or
want a human-readable audit trail of which token published
which version.
Also tightens the 2FA section (TOTP authenticator-app required;
SMS/email modes don't work for publish) and the manual
npm loginsection (now a short-lived session token, ~2-hour expiry, separate
OTP prompts for login vs publish).
Linked issues
Refs #35 (tracking issue for the npm-publish step)
Type of change
feat— new feature (MINOR bump)fix— bug fix (PATCH bump)refactor— no behavior changedocs— documentation onlychore— maintenance / dependency bumpci— CI/CD onlybuild— build system onlyChecklist
docs(release): subject)make cilocally — docs-only, no code changeScope notes / things reviewers may want to look at
gone to the npm token page looking for an "Automation" type
that no longer exists. This is a doc fix that prevents a
release-day blocker.
"Add
NPM_TOKEN" guidance in the checklist (and thegh secret set NPM_TOKENstep in the plan) was correct as of the projectplanning phase but became stale when npm shipped the
December 2025 auth changes. The right fix is to update the
checklist now rather than wait until release time.
GitHub Actions and is what I'd wire up for the v1.0.0 release
workflow. Granular tokens are kept in the docs as a fallback
for non-GH CI and for users who prefer a tangible secret to
audit. Both end with
npm publish --provenance --access public,which is now required for packages linked to public repos.
How to verify
Read the post-tag section of
docs/release-checklist.md:"Publishing
nodeup-npmto the npm registry" → "Can I automateit?" — the two options there should be OIDC first, granular
token second. The manual section above it should now mention
session-token expiry and the dual-OTP behavior.