Confirmed users
21
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 12:35, 17 November 2025
, 17 November 2025add recommendation for trusted publishing
m (→Scanning Tools: correct misspelled word) |
(add recommendation for trusted publishing) |
||
| Line 106: | Line 106: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
If some permissions are required, set them to the minimum necessary. | If some permissions are required, set them to the minimum necessary. | ||
=== Use NPM Trusted Publishing === | |||
[https://docs.npmjs.com/trusted-publishers NPM trusted publishing] allows you to publish npm packages directly from your CI/CD workflows using OpenID Connect (OIDC) authentication, eliminating the need for long-lived npm tokens. When you configure a trusted publisher for your package, npm will accept publishes from the specific workflow you've authorized, in addition to traditional authentication methods like npm tokens and manual publishes. This approach eliminates the security risks associated with long-lived write tokens, which can be compromised, accidentally exposed in logs, or require manual rotation. Instead, each publish uses short-lived, cryptographically-signed tokens that are specific to your workflow and cannot be extracted or reused. | |||
The steps to use trusted publishing are described in details on this page: https://docs.npmjs.com/trusted-publishers#configuring-trusted-publishing | |||
=== Implement Secure Configuration === | === Implement Secure Configuration === | ||