From ac6491c9ce0adb33ec295072829b204650f7c118 Mon Sep 17 00:00:00 2001 From: Jeremy Tuloup Date: Tue, 14 Oct 2025 13:45:06 +0200 Subject: [PATCH 1/3] Document npm truster publishers --- .../making_release_from_releaser.md | 33 ++++++++++++- .../convert_repo_from_releaser.md | 47 +++++++++++++++--- .../how_to_guides/convert_repo_from_repo.md | 49 ++++++++++++++++--- docs/source/reference/theory.md | 2 +- 4 files changed, 112 insertions(+), 19 deletions(-) diff --git a/docs/source/get_started/making_release_from_releaser.md b/docs/source/get_started/making_release_from_releaser.md index 3f395529..2afade8c 100644 --- a/docs/source/get_started/making_release_from_releaser.md +++ b/docs/source/get_started/making_release_from_releaser.md @@ -49,9 +49,38 @@ already uses Jupyter Releaser. -- If the repo generates npm release(s), add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets". +- If the repo generates npm release(s), set up npm: -> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)). +
Using npm Trusted Publishers (recommended) + +- npm Trusted Publishers is supported with npm >= 11.5.1 +- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) +- Set up the Node.js version in your workflow using one of these approaches: + + Using the `base-setup` action from `jupyterlab/maintainer-tools`: + ```yaml + - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + with: + node_version: "24" + ``` + + Or using the standard `setup-node` action: + ```yaml + - uses: actions/setup-node@v6 + with: + node-version: "24" + ``` + +- With Trusted Publishers enabled, npm packages will be published without needing to store an `NPM_TOKEN` secret + +
+ +
Using NPM_TOKEN (legacy way) + +- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets" +- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)) + +
## Prep Release diff --git a/docs/source/how_to_guides/convert_repo_from_releaser.md b/docs/source/how_to_guides/convert_repo_from_releaser.md index 0c1cf2f6..66f83f44 100644 --- a/docs/source/how_to_guides/convert_repo_from_releaser.md +++ b/docs/source/how_to_guides/convert_repo_from_releaser.md @@ -10,7 +10,7 @@ See checklist below for details: - Bump version configuration (if using Python), for example [tbump](https://github.com/dmerejkowsky/tbump) - [Access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with access to target GitHub repo to run GitHub Actions. - Access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github) -- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens). +- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens). ## Checklist for Adoption @@ -19,9 +19,9 @@ A. Prep the `jupyter_releaser` fork: - [ ] Clone this repository onto your GitHub user account. - [ ] Add a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with access to target GitHub repo to run - GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the - [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). - The token will need "public_repo", and "repo:status" permissions. + GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the + [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). + The token will need "public_repo", and "repo:status" permissions. - [ ] Set up PyPI: @@ -54,9 +54,40 @@ A. Prep the `jupyter_releaser` fork: -- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`. +- [ ] Set up npm (if publishing to npm): -> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)). +
Using npm Trusted Publishers (recommended) + +- npm Trusted Publishers is supported with npm >= 11.5.1 +- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) +- Set up the Node.js version in your workflow using one of these approaches: + + Using the `base-setup` action from `jupyterlab/maintainer-tools`: + + ```yaml + - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + with: + node_version: "24" + ``` + + Or using the standard `setup-node` action: + + ```yaml + - uses: actions/setup-node@v4 + with: + node-version: "24" + ``` + +- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret + +
+ +
Using NPM_TOKEN (legacy way) + +- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` +- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)) + +
B. Prep target repository: @@ -66,7 +97,7 @@ B. Prep target repository: - Note that [directives](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#syntax-directives) can still be used - [ ] Add HTML start and end comment markers to Changelog file - see example in [CHANGELOG.md](https://github.com/jupyter-server/jupyter_releaser/blob/main/CHANGELOG.md) (view in raw mode) - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your - build system and for version handling. + build system and for version handling. - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`, use a pattern like the one below in your version file: ```python @@ -111,7 +142,7 @@ version_info = tuple(parts) ``` - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to - categorize the changelog. + categorize the changelog. - [ ] Update or add `RELEASE.md` that describes the onboarding and release process, e.g. [jupyter_server](https://github.com/jupyter-server/jupyter_server/blob/main/RELEASE.md). diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index cae7bc50..9138e61e 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -9,7 +9,7 @@ See checklist below for details: - Markdown changelog - Bump version configuration (if using Python), for example [hatch](https://hatch.pypa.io/latest/) - [Add a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) to your PyPI project -- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens). +- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens). ## Checklist for Adoption @@ -25,7 +25,7 @@ See checklist below for details: - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) - [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. - The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). + The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository @@ -38,7 +38,7 @@ See checklist below for details: - Allow the GitHub App to bypass protections - [ ] Copy `prep-release.yml` and `publish-release.yml` (or only `full-release.yml`) from the - [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository. + [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository. - [ ] Set up PyPI: @@ -47,8 +47,41 @@ See checklist below for details: _environment_ should be `release` (the name of the GitHub environment). - Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/)) -- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`. Again this should - be created using a machine account that only has publish access. +- [ ] Set up npm (if publishing to npm): + +
Using npm Trusted Publishers (recommended) + +- npm Trusted Publishers is supported with npm >= 11.5.1 +- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) +- Set up the Node.js version in your workflow using one of these approaches: + + Using the `base-setup` action from `jupyterlab/maintainer-tools`: + + ```yaml + - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + with: + node_version: "24" + ``` + + Or using the standard `setup-node` action: + + ```yaml + - uses: actions/setup-node@v4 + with: + node-version: "24" + ``` + +- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret + +
+ +
Using NPM_TOKEN (legacy way) + +- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` +- This should be created using a machine account that only has publish access +- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)) + +
- [ ] Ensure that only trusted users with 2FA have admin access to the repository, since they will be able to trigger releases. @@ -71,7 +104,7 @@ See checklist below for details: ``` - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your - build system and for version handling. + build system and for version handling. - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`, use a pattern like the one below in your version file: @@ -119,7 +152,7 @@ version_info = tuple(parts) ``` - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action - from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog. + from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog. ```yaml name: Enforce PR label @@ -149,7 +182,7 @@ jobs: - [ ] Try out the `Prep Release` and `Publish Release` process against a fork of the target repo first so you don't accidentally push tags and GitHub releases to the source repository. Set the `TWINE_REPOSITORY_URL` environment variable to `https://test.pypi.org/legacy/` in the "Finalize Release" action part of the workflow - [ ] Try the `Publish Release` process using a prerelease version on the main - repository before publishing a final version. + repository before publishing a final version. ## Backport Branches diff --git a/docs/source/reference/theory.md b/docs/source/reference/theory.md index dbe796ff..680a6f33 100644 --- a/docs/source/reference/theory.md +++ b/docs/source/reference/theory.md @@ -17,7 +17,7 @@ This project should help maintainers reduce toil and save time in the release pr We strive to use the most secure release practices possible, reflected in the `Checklist for Adoption` and the example workflows. -This includes using PyPI Trusted Publishing, using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm. +This includes using PyPI Trusted Publishing, npm Trusted Publishers (with npm >= 11.5.1), using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm. In addition, there is an automatic check for whether the user who triggered the action is an admin. ## Action Details From 36ac20fa50eb60fdfbd93f3c4800babaa3159db2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Oct 2025 11:46:41 +0000 Subject: [PATCH 2/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../get_started/making_release_from_releaser.md | 4 ++++ .../how_to_guides/convert_repo_from_releaser.md | 12 +++++++----- docs/source/how_to_guides/convert_repo_from_repo.md | 12 +++++++----- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/source/get_started/making_release_from_releaser.md b/docs/source/get_started/making_release_from_releaser.md index 2afade8c..83e5b011 100644 --- a/docs/source/get_started/making_release_from_releaser.md +++ b/docs/source/get_started/making_release_from_releaser.md @@ -54,10 +54,13 @@ already uses Jupyter Releaser.
Using npm Trusted Publishers (recommended) - npm Trusted Publishers is supported with npm >= 11.5.1 + - Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) + - Set up the Node.js version in your workflow using one of these approaches: Using the `base-setup` action from `jupyterlab/maintainer-tools`: + ```yaml - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 with: @@ -65,6 +68,7 @@ already uses Jupyter Releaser. ``` Or using the standard `setup-node` action: + ```yaml - uses: actions/setup-node@v6 with: diff --git a/docs/source/how_to_guides/convert_repo_from_releaser.md b/docs/source/how_to_guides/convert_repo_from_releaser.md index 66f83f44..726e57f2 100644 --- a/docs/source/how_to_guides/convert_repo_from_releaser.md +++ b/docs/source/how_to_guides/convert_repo_from_releaser.md @@ -19,9 +19,9 @@ A. Prep the `jupyter_releaser` fork: - [ ] Clone this repository onto your GitHub user account. - [ ] Add a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with access to target GitHub repo to run - GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the - [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). - The token will need "public_repo", and "repo:status" permissions. + GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the + [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). + The token will need "public_repo", and "repo:status" permissions. - [ ] Set up PyPI: @@ -59,7 +59,9 @@ A. Prep the `jupyter_releaser` fork:
Using npm Trusted Publishers (recommended) - npm Trusted Publishers is supported with npm >= 11.5.1 + - Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) + - Set up the Node.js version in your workflow using one of these approaches: Using the `base-setup` action from `jupyterlab/maintainer-tools`: @@ -97,7 +99,7 @@ B. Prep target repository: - Note that [directives](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#syntax-directives) can still be used - [ ] Add HTML start and end comment markers to Changelog file - see example in [CHANGELOG.md](https://github.com/jupyter-server/jupyter_releaser/blob/main/CHANGELOG.md) (view in raw mode) - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your - build system and for version handling. + build system and for version handling. - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`, use a pattern like the one below in your version file: ```python @@ -142,7 +144,7 @@ version_info = tuple(parts) ``` - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to - categorize the changelog. + categorize the changelog. - [ ] Update or add `RELEASE.md` that describes the onboarding and release process, e.g. [jupyter_server](https://github.com/jupyter-server/jupyter_server/blob/main/RELEASE.md). diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index 9138e61e..1ae90712 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -25,7 +25,7 @@ See checklist below for details: - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) - [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. - The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). + The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository @@ -38,7 +38,7 @@ See checklist below for details: - Allow the GitHub App to bypass protections - [ ] Copy `prep-release.yml` and `publish-release.yml` (or only `full-release.yml`) from the - [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository. + [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository. - [ ] Set up PyPI: @@ -52,7 +52,9 @@ See checklist below for details:
Using npm Trusted Publishers (recommended) - npm Trusted Publishers is supported with npm >= 11.5.1 + - Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements)) + - Set up the Node.js version in your workflow using one of these approaches: Using the `base-setup` action from `jupyterlab/maintainer-tools`: @@ -104,7 +106,7 @@ See checklist below for details: ``` - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your - build system and for version handling. + build system and for version handling. - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`, use a pattern like the one below in your version file: @@ -152,7 +154,7 @@ version_info = tuple(parts) ``` - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action - from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog. + from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog. ```yaml name: Enforce PR label @@ -182,7 +184,7 @@ jobs: - [ ] Try out the `Prep Release` and `Publish Release` process against a fork of the target repo first so you don't accidentally push tags and GitHub releases to the source repository. Set the `TWINE_REPOSITORY_URL` environment variable to `https://test.pypi.org/legacy/` in the "Finalize Release" action part of the workflow - [ ] Try the `Publish Release` process using a prerelease version on the main - repository before publishing a final version. + repository before publishing a final version. ## Backport Branches From 951e3b4f0c058447d519b85c472075489a6c9ef5 Mon Sep 17 00:00:00 2001 From: Jeremy Tuloup Date: Wed, 15 Oct 2025 11:07:43 +0200 Subject: [PATCH 3/3] Log when there is no npm token --- jupyter_releaser/npm.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/jupyter_releaser/npm.py b/jupyter_releaser/npm.py index c9d98820..45558b5f 100644 --- a/jupyter_releaser/npm.py +++ b/jupyter_releaser/npm.py @@ -1,4 +1,5 @@ """npm-related utilities.""" + # Copyright (c) Jupyter Development Team. # Distributed under the terms of the Modified BSD License. import json @@ -153,6 +154,8 @@ def handle_npm_config(npm_token): short_reg = registry.replace("https://", "//") short_reg = short_reg.replace("http://", "//") auth_entry = f"{short_reg}:_authToken={npm_token}" + else: + util.log("No NPM_TOKEN provided, will attempt to use npm Trusted Publishers if configured") # Handle existing config if npmrc.exists(): @@ -182,13 +185,13 @@ def get_package_versions(version): npm_version = data.get("version", "") if npm_version != version: message += f"\nPython version: {version}" - message += f'\nnpm version: {data["name"]}: {npm_version}' + message += f"\nnpm version: {data['name']}: {npm_version}" if "workspaces" in data: message += "\nnpm workspace versions:" for path in _get_workspace_packages(data): text = path.joinpath("package.json").read_text(encoding="utf-8") data = json.loads(text) - message += f'\n{data["name"]}: {data.get("version", "")}' + message += f"\n{data['name']}: {data.get('version', '')}" return message