From c8bc4145e339e646ba8a9888a595b8607e0f588e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 11:15:44 +0000 Subject: [PATCH 1/3] Initial plan From 2dc4f2d05eab96a5b20d148756287a685ad6e765 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Mar 2026 11:23:36 +0000 Subject: [PATCH 2/3] Automate npm trusted publishing setup using `npm trust` CLI command Update workflows and documentation to use `npm trust github` (available in npm >= 11.10.0, from npm/cli#8899) instead of requiring manual web UI configuration on npmjs.com. Changes: - setup-trusted-publish.yml: Add OTP input and `npm trust github` step to automatically configure trusted publishing after package creation - turbo/generators/config.ts: Simplify setup instructions with CLI command - README.todo.md.hbs: Replace manual web UI steps with CLI command - CONTRIBUTING.md: Update both new and existing package sections - AGENTS.md: Update trusted publishing quick reference Co-authored-by: stipsan <81981+stipsan@users.noreply.github.com> --- .github/workflows/setup-trusted-publish.yml | 31 ++++++++++++- AGENTS.md | 10 ++--- CONTRIBUTING.md | 43 +++++++++++-------- turbo/generators/config.ts | 15 +++---- turbo/generators/templates/README.todo.md.hbs | 28 ++++++------ 5 files changed, 78 insertions(+), 49 deletions(-) diff --git a/.github/workflows/setup-trusted-publish.yml b/.github/workflows/setup-trusted-publish.yml index 56687486f0..cbdbfb9266 100644 --- a/.github/workflows/setup-trusted-publish.yml +++ b/.github/workflows/setup-trusted-publish.yml @@ -4,8 +4,11 @@ on: workflow_dispatch: inputs: package: - description: 'The package name name, for example @sanity/foo-bar' + description: 'The package name, for example @sanity/foo-bar' required: true + otp: + description: 'npm OTP code for 2FA (required to configure trusted publishing automatically)' + required: false permissions: contents: read @@ -18,3 +21,29 @@ jobs: - uses: ./.github/actions/setup - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" > ~/.npmrc - run: pnpm setup-npm-trusted-publish ${{ inputs.package }} + - name: Configure trusted publishing + run: | + NPM_VERSION=$(npm --version) + REQUIRED_VERSION="11.10.0" + + if npx semver -r ">=${REQUIRED_VERSION}" "${NPM_VERSION}" > /dev/null 2>&1; then + if [ -n "$OTP" ]; then + echo "🔐 Configuring trusted publishing for ${{ inputs.package }}..." + npm trust github "${{ inputs.package }}" --file=release.yml --repository=sanity-io/plugins --yes --otp="$OTP" + echo "✅ Trusted publishing configured successfully!" + else + echo "⚠️ No OTP provided. To configure trusted publishing, run locally:" + echo "" + echo " npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins" + echo "" + fi + else + echo "⚠️ npm ${NPM_VERSION} does not support 'npm trust' (requires >=${REQUIRED_VERSION})." + echo "To configure trusted publishing, update npm and run locally:" + echo "" + echo " npm install -g npm@^${REQUIRED_VERSION}" + echo " npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins" + echo "" + fi + env: + OTP: ${{ inputs.otp }} diff --git a/AGENTS.md b/AGENTS.md index da5333fd89..f9e4e6ba5b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -315,17 +315,13 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed instructions on: **For brand new packages (not yet on npm):** - Use the "Setup a new npm package with Trusted Publishing" GitHub Actions workflow -- The workflow will create the package and provide setup instructions +- Provide your npm OTP code to automatically configure trusted publishing +- If OTP wasn't provided, run locally: `npm trust github --file=release.yml --repository=sanity-io/plugins` **For existing packages (already on npm):** - ⚠️ DO NOT use the setup workflow -- Manually configure trusted publishing at: `https://www.npmjs.com/package/PACKAGE-NAME/access` -- Add GitHub Actions as trusted publisher with: - - Owner: `sanity-io` - - Repository: `plugins` - - Workflow: `release.yml` - - Environment: _(leave empty)_ +- Run: `npm trust github --file=release.yml --repository=sanity-io/plugins` (requires npm >= 11.10.0) ## Code Style diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b6071fa697..48d746be1b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -152,21 +152,14 @@ If you're creating a package that has never been published to npm before: 2. Find the **"Setup a new npm package with Trusted Publishing"** workflow 3. Click **"Run workflow"** 4. Enter the package name (e.g., `@sanity/my-new-plugin` or `sanity-plugin-my-feature`) -5. The workflow will create the package on npm and output instructions for configuring trusted publishing +5. Enter your **npm OTP code** to automatically configure trusted publishing +6. Click **"Run workflow"** — the workflow will create the package on npm and configure trusted publishing -After the workflow completes, go to the package settings on npm and configure trusted publishing with these values: +If you didn't provide an OTP, or the workflow couldn't configure trusted publishing automatically, run this command locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): -| Setting | Value | -| ------------- | --------------- | -| Organization | `sanity-io` | -| Repository | `plugins` | -| Workflow name | `release.yml` | -| Environment | _(leave blank)_ | - -Under token settings, configure: - -- **Require 2FA** for publishing -- **Disallow tokens** (granular and automation tokens) +```bash +npm trust github --file=release.yml --repository=sanity-io/plugins +``` This sets up [OIDC-based trusted publishing](https://docs.npmjs.com/generating-provenance-statements) so the release workflow can publish packages without storing npm tokens. @@ -174,7 +167,16 @@ This sets up [OIDC-based trusted publishing](https://docs.npmjs.com/generating-p ⚠️ **Do NOT use the "Setup a new npm package with Trusted Publishing" workflow for existing packages!** That workflow is only for brand new packages that don't have an npm settings page yet. -For packages that are already published to npm, manually configure trusted publishing: +For packages that are already published to npm, configure trusted publishing using the npm CLI (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): + +```bash +npm trust github --file=release.yml --repository=sanity-io/plugins +``` + +
+Alternative: Configure via npm website + +If you don't have npm >= 11.10.0, you can configure trusted publishing manually: 1. Go to your package's access settings page: `https://www.npmjs.com/package/YOUR-PACKAGE-NAME/access` 2. Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"** @@ -188,9 +190,8 @@ For packages that are already published to npm, manually configure trusted publi | **Environment name** | _(leave empty)_ | 4. Click **"Add trusted publisher"** -5. Under **"Token settings"**, ensure: - - ✅ **Require 2FA** for publishing is enabled - - ✅ **Disallow tokens** (both granular and automation tokens) + +
### 2. Init the plugin workspace @@ -226,7 +227,13 @@ Commit the changeset file with your PR. ### 1. Set Up Trusted Publishing -Since the plugin is already published to npm, you need to manually configure trusted publishing. See [For Existing Packages](#for-existing-packages-already-on-npm) above for detailed instructions. +Since the plugin is already published to npm, configure trusted publishing using the npm CLI (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): + +```bash +npm trust github --file=release.yml --repository=sanity-io/plugins +``` + +See [For Existing Packages](#for-existing-packages-already-on-npm) above for alternative manual instructions. ### 2. Init the plugin workspace diff --git a/turbo/generators/config.ts b/turbo/generators/config.ts index 3e26e5f74e..cf989b30bd 100644 --- a/turbo/generators/config.ts +++ b/turbo/generators/config.ts @@ -49,17 +49,14 @@ First, create the package on npm by running the setup-trusted-publish workflow: 1. Go to https://github.com/sanity-io/plugins/actions/workflows/setup-trusted-publish.yml 2. Click "Run workflow" 3. Enter "${name}" in "The package name" -4. Click "Run workflow" in the popover -5. Wait for the workflow to complete - this creates the initial package on npm +4. Enter your npm OTP code to automatically configure trusted publishing +5. Click "Run workflow" in the popover +6. Wait for the workflow to complete -Then, configure trusted publishing so releases can be automated: +If you didn't provide an OTP, or the workflow couldn't configure trusted publishing automatically, +run this command locally (requires npm >= 11.10.0): -6. Open https://www.npmjs.com/package/${name}/access -7. Under "Trusted Publisher", click "GitHub Actions" -8. In "Organization or user", enter: sanity-io -9. In "Repository", enter: plugins -10. In "Workflow filename", enter: release.yml -11. Click "Set up connection" + npm trust github ${name} --file=release.yml --repository=sanity-io/plugins After completing these steps, run this generator again. ` diff --git a/turbo/generators/templates/README.todo.md.hbs b/turbo/generators/templates/README.todo.md.hbs index 449009fcb6..0e58b56646 100644 --- a/turbo/generators/templates/README.todo.md.hbs +++ b/turbo/generators/templates/README.todo.md.hbs @@ -12,15 +12,22 @@ This plugin was scaffolded using `pnpm generate "copy plugin"`. ⚠️ **If trusted publishing is not configured correctly, the plugin will fail to publish from this monorepo.** -Go to the npm package access settings: +Run this command locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): -**https://www.npmjs.com/package/{{ name }}/access** +```bash +npm trust github {{ name }} --file=release.yml --repository=sanity-io/plugins +``` + +This sets up OIDC-based trusted publishing so the GitHub Actions release workflow can publish this package without storing npm tokens. -### Configure GitHub Actions as Trusted Publisher +
+Alternative: Configure via npm website -Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"**. +If you don't have npm >= 11.10.0, you can configure trusted publishing manually: -Fill in the fields **exactly** as shown: +1. Go to **https://www.npmjs.com/package/{{ name }}/access** +2. Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"** +3. Fill in the fields: | Setting | Value | | -------------------- | ------------- | @@ -29,16 +36,9 @@ Fill in the fields **exactly** as shown: | **Workflow** | `release.yml` | | **Environment name** | _(leave empty)_ | -Click **"Add trusted publisher"**. - -### Configure Token Settings - -Under **"Token settings"**, ensure: - -- ✅ **Require 2FA** for publishing is enabled -- ✅ **Disallow tokens** (both granular and automation tokens) +4. Click **"Add trusted publisher"** -This ensures only the GitHub Actions release workflow can publish this package using OIDC-based trusted publishing. +
## 2. Update package.json Dependencies From 56cedf6537b232a2faaf9472f23796bca44bd8eb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 08:16:20 +0000 Subject: [PATCH 3/3] Remove OTP input, just echo local CLI instructions instead Co-authored-by: stipsan <81981+stipsan@users.noreply.github.com> --- .github/workflows/setup-trusted-publish.yml | 33 ++++----------------- AGENTS.md | 3 +- CONTRIBUTING.md | 5 ++-- turbo/generators/config.ts | 8 ++--- 4 files changed, 12 insertions(+), 37 deletions(-) diff --git a/.github/workflows/setup-trusted-publish.yml b/.github/workflows/setup-trusted-publish.yml index cbdbfb9266..f22bb5d00c 100644 --- a/.github/workflows/setup-trusted-publish.yml +++ b/.github/workflows/setup-trusted-publish.yml @@ -6,9 +6,6 @@ on: package: description: 'The package name, for example @sanity/foo-bar' required: true - otp: - description: 'npm OTP code for 2FA (required to configure trusted publishing automatically)' - required: false permissions: contents: read @@ -23,27 +20,9 @@ jobs: - run: pnpm setup-npm-trusted-publish ${{ inputs.package }} - name: Configure trusted publishing run: | - NPM_VERSION=$(npm --version) - REQUIRED_VERSION="11.10.0" - - if npx semver -r ">=${REQUIRED_VERSION}" "${NPM_VERSION}" > /dev/null 2>&1; then - if [ -n "$OTP" ]; then - echo "🔐 Configuring trusted publishing for ${{ inputs.package }}..." - npm trust github "${{ inputs.package }}" --file=release.yml --repository=sanity-io/plugins --yes --otp="$OTP" - echo "✅ Trusted publishing configured successfully!" - else - echo "⚠️ No OTP provided. To configure trusted publishing, run locally:" - echo "" - echo " npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins" - echo "" - fi - else - echo "⚠️ npm ${NPM_VERSION} does not support 'npm trust' (requires >=${REQUIRED_VERSION})." - echo "To configure trusted publishing, update npm and run locally:" - echo "" - echo " npm install -g npm@^${REQUIRED_VERSION}" - echo " npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins" - echo "" - fi - env: - OTP: ${{ inputs.otp }} + echo "📦 Package ${{ inputs.package }} has been created on npm." + echo "" + echo "Next, configure trusted publishing by running locally (requires npm >= 11.10.0):" + echo "" + echo " npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins" + echo "" diff --git a/AGENTS.md b/AGENTS.md index f9e4e6ba5b..5950de07dc 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -315,8 +315,7 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed instructions on: **For brand new packages (not yet on npm):** - Use the "Setup a new npm package with Trusted Publishing" GitHub Actions workflow -- Provide your npm OTP code to automatically configure trusted publishing -- If OTP wasn't provided, run locally: `npm trust github --file=release.yml --repository=sanity-io/plugins` +- Then run locally: `npm trust github --file=release.yml --repository=sanity-io/plugins` (requires npm >= 11.10.0) **For existing packages (already on npm):** diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 48d746be1b..9ad31bb2c2 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -152,10 +152,9 @@ If you're creating a package that has never been published to npm before: 2. Find the **"Setup a new npm package with Trusted Publishing"** workflow 3. Click **"Run workflow"** 4. Enter the package name (e.g., `@sanity/my-new-plugin` or `sanity-plugin-my-feature`) -5. Enter your **npm OTP code** to automatically configure trusted publishing -6. Click **"Run workflow"** — the workflow will create the package on npm and configure trusted publishing +5. Click **"Run workflow"** — the workflow will create the package on npm -If you didn't provide an OTP, or the workflow couldn't configure trusted publishing automatically, run this command locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): +Then, configure trusted publishing by running locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)): ```bash npm trust github --file=release.yml --repository=sanity-io/plugins diff --git a/turbo/generators/config.ts b/turbo/generators/config.ts index cf989b30bd..7c3e418df9 100644 --- a/turbo/generators/config.ts +++ b/turbo/generators/config.ts @@ -49,12 +49,10 @@ First, create the package on npm by running the setup-trusted-publish workflow: 1. Go to https://github.com/sanity-io/plugins/actions/workflows/setup-trusted-publish.yml 2. Click "Run workflow" 3. Enter "${name}" in "The package name" -4. Enter your npm OTP code to automatically configure trusted publishing -5. Click "Run workflow" in the popover -6. Wait for the workflow to complete +4. Click "Run workflow" in the popover +5. Wait for the workflow to complete -If you didn't provide an OTP, or the workflow couldn't configure trusted publishing automatically, -run this command locally (requires npm >= 11.10.0): +Then, configure trusted publishing by running locally (requires npm >= 11.10.0): npm trust github ${name} --file=release.yml --repository=sanity-io/plugins