This package uses npm Trusted Publishing (OIDC) for secure, token-free releases with cryptographic provenance.
Package: @crashbytes/react-version-compare
Version: 1.0.4
Published: 2026-01-14 06:02 UTC
Provenance: https://search.sigstore.dev/?logIndex=820833331
GitHub Release: https://github.com/CrashBytes/react-version-compare/releases/tag/v1.0.4
- No tokens required - Uses OIDC authentication via GitHub Actions
- Cryptographic provenance - Every release includes verifiable supply chain attestation
- Sigstore transparency - All releases logged in public transparency log
- Automated security - Weekly audits, dependency updates, CodeQL scanning
- React compatibility - Automated testing against React 18 & 19
Organization: CrashBytes (case-sensitive!)
Repository: react-version-compare
Workflow: release.yml
Environment: (blank/empty)
-
Update version in
package.json:# Edit package.json, change version to 1.0.5 -
Update CHANGELOG.md with release notes
-
Commit and tag:
git add package.json CHANGELOG.md git commit -m "chore: release v1.0.5" git tag v1.0.5 -
Push (triggers automatic release):
git push origin main && git push origin v1.0.5 -
Monitor workflow:
gh run list --workflow=release.yml --limit 1 gh run watch <run-id>
When you push a tag (e.g., v1.0.5):
- ✅ Checkout code
- ✅ Setup Node.js 20
- ✅ Upgrade npm to latest (≥ 11.5.1 for OIDC)4. ✅ Install dependencies
- ✅ Build package
- ✅ Run tests
- ✅ Type check
- ✅ Publish to npm with provenance (OIDC - no tokens!)
- ✅ Create GitHub Release
- ✅ Cryptographic attestation logged to Sigstore
Total time: ~45-60 seconds
npm view @crashbytes/react-version-compare versionnpm view @crashbytes/react-version-compare dist.integrityhttps://www.npmjs.com/package/@crashbytes/react-version-compare
Each release includes a link like: https://search.sigstore.dev/?logIndex=820833331
- Trigger: Push, PR, weekly schedule, manual
- What it does:
- npm audit (all dependencies)
- npm audit (production only)
- CodeQL analysis (JavaScript + TypeScript)
- Dependency review (PRs only)
- Trigger: Push, PR, weekly schedule, manual
- What it does:
- Test against React 18
- Test against React 19
- Validates peer dependency compatibility
- Schedule: Weekly (Mondays 9 AM UTC)
- Groups dependencies by type:
- Production dependencies
- Development dependencies
- Testing dependencies (@testing-library, jest)
- Build tools (rollup, typescript, vite)
- Auto-assigns PRs to MichaelEakins
Symptoms:
npm error code ENEEDAUTH
npm error need auth This command requires you to be logged in
Causes & Solutions:
-
Wrong repository name in npm config
- ❌ Bad:
compare - ✅ Good:
react-version-compare
- ❌ Bad:
-
Wrong workflow filename in npm config
- ❌ Bad:
publish.yml - ✅ Good:
release.yml
- ❌ Bad:
-
Environment name not blank
- ❌ Bad: "main", "production", etc.
- ✅ Good: (completely empty field)
-
Wrong organization case
- ❌ Bad:
crashbytes,crashBytes - ✅ Good:
CrashBytes(exact case!)
- ❌ Bad:
-
npm CLI too old
- Solution: Workflow automatically upgrades to latest npm (≥ 11.5.1)
-
registry-url in workflow
- Solution: Remove
registry-urlfromsetup-nodestep - OIDC doesn't use .npmrc authentication
- Solution: Remove
Cause: Tag not pushed or pushed before workflow existed
Solution:
# Delete and re-push tag
git push origin :refs/tags/v1.0.4
git push origin v1.0.4Cause: Code issues preventing publish
Solution:
- Run locally first:
npm ci npm run build npm test npm run type-check - Fix issues
- Commit and re-tag
on:
push:
tags:
- 'v*'
permissions:
contents: write # Create GitHub releases
id-token: write # OIDC authentication (REQUIRED!)Critical Permissions:
id-token: write- Required for npm Trusted Publishing (OIDC)contents: write- Needed to create GitHub releases
What Makes It Work:
- NO registry-url in setup-node (prevents .npmrc conflicts)
- NO NODE_AUTH_TOKEN environment variable
- npm >= 11.5.1 (automatically upgraded in workflow)
- --provenance flag in npm publish command
- Triggered by tags (not push to main)
- uses: actions/setup-node@v4
with:
node-version: '20'
# NO registry-url here!
- name: Upgrade npm for Trusted Publishing
run: npm install -g npm@latest
- name: Publish to npm with Provenance
run: npm publish --provenance --access public
# OIDC happens automatically - no tokens needed!| Feature | Token-Based | Trusted Publishing |
|---|---|---|
| Token management | Required | None |
| Token rotation | Manual | Automatic |
| Token expiration | 90 days | N/A |
| Security risk | High (token leak) | Low (OIDC) |
| Provenance | Optional | Included |
| Supply chain | Not verified | Cryptographically verified |
| Transparency | None | Public log |
| Audit trail | Limited | Complete |
- npm Provenance: https://docs.npmjs.com/generating-provenance-statements
- npm Trusted Publishing: https://docs.npmjs.com/trusted-publishers/
- GitHub OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
- Sigstore: https://www.sigstore.dev/
- Never commit tokens to repository
- Enable 2FA on npm account
- Review Dependabot PRs before merging
- Monitor security advisories via GitHub Alerts
- Check CodeQL results weekly
- Verify provenance for published packages
- Keep dependencies updated (Dependabot handles this)
- Run local tests before tagging releases
# Watch workflow runs
gh run list --limit 5
# View specific workflow
gh run view <run-id>
# Check security issues
gh api repos/CrashBytes/react-version-compare/vulnerability-alerts
# View Dependabot alerts
gh api repos/CrashBytes/react-version-compare/dependabot/alertsFrom our setup experience:
- Environment field MUST be blank - Most common failure cause
- Case sensitivity matters - Organization name must be exact
- Full repository name required - Not abbreviated
- Workflow filename must match - Exactly as in
.github/workflows/ - npm CLI version critical - Must be ≥ 11.5.1 for OIDC
- NO registry-url in workflow - Causes .npmrc conflicts
- npm Trusted Publisher configured on npmjs.com
- Organization:
CrashBytes(exact case) - Repository:
react-version-compare(full name) - Workflow:
release.yml(exact filename) - Environment: (blank/empty)
- Release workflow created (
.github/workflows/release.yml) - Security audit workflow (
.github/workflows/security-audit.yml) - React compatibility testing (
.github/workflows/react-compat.yml) - Dependabot configuration (
.github/dependabot.yml) - SECURITY.md policy document
- README badges updated
- First release tested (v1.0.4)
The previous .github/workflows/publish.yml workflow:
- ❌ Auto-bumped version on every push to main
- ❌ Required NPM_TOKEN secret
- ❌ No provenance generation
- ❌ No security infrastructure
The new .github/workflows/release.yml workflow:
- ✅ Manual version control (update package.json)
- ✅ Tag-based releases (you control when)
- ✅ OIDC authentication (no tokens)
- ✅ Automatic provenance generation
- ✅ Complete security infrastructure
For issues or questions:
- GitHub Issues: https://github.com/CrashBytes/react-version-compare/issues
- Security: security@crashbytes.com
Last Updated: 2026-01-14
Package: @crashbytes/react-version-compare
Current Version: 1.0.4
Status: ✅ Production Ready