[QUESTION] Trusted Publishing with re-usable GitHub Workflows #1755
Description
Hey everyone!
I have a question regarding Trusted Publishers that from reading the docs doesn't seem very clear to me.
We have some repositories that have multiple GitHub actions for publishing packages to npm, one to dev tag, one to next, one to latest (and a few others). These workflows all consume a re-usable workflow, where the call to npm publish actually takes place.
Per the last paragraph in Troubleshooting section
Some GitHub Actions workflows use
workflow_callto invoke other workflows that run npm publish, or useworkflow_dispatchfor manual publishing. When this happens, validation checks the calling workflow's name instead of the workflow that actually contains the publish command, which can cause configuration mismatches.
So I am confused as to how can we use trusted publishing when we have a setup like:
workflow_a.ymlworkflow_b.ymlworkflow_c.yml
That all call workflow_reusable.yml (workflow_call), without changing the setup of the workflows?
So far I've been only able to get it working if I set the GitHub Workflow file in npm settings as one of the specific a,b,c workflows, and paste the reusable code inside the calling workflow.
Would I need to always use a single Github Actions workflow file to enable trusted publishing?
Let me know if you need me to clarify anything.