Skip to content

Enable OIDC per-publish review #7391

Open
Open
Enable OIDC per-publish review#7391
@paulmillr

Description

@paulmillr
paulmillr
opened on May 12, 2026

This part of blog post:

OIDC trusted-publisher binding has no per-publish review. Once configured, any code path in the workflow can mint a publish-capable token. We need either (a) move to short-lived classic tokens with manual review, or (b) add provenance-source-verification to detect publishes from unexpected workflow steps

Could easily be solved:

  • On NPM, in pkg settings, limit publish to one environment (e.g. publish)
  • On GitHub, create publish env. Then require maintainers review before publish

Demo: https://github.com/alcuadrado/trusted-publishing-example

Complete minimal reproducer

https://example.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions