Quesby
Zach LeathermanThis took a lot of tedious work but I’m now npm token free, weee!
The @11ty ecosystem is now using Trusted Publishers (https://docs.npmjs.com/trusted-publishers)
As a security precaution I had previously configured every single 11ty repository to have its own single-package-scoped npm token (there were probably ~30 or so), so this is a lovely improvement 😅
Alex GrantI did this, but I didn't get the OIDC badges. Do I have to delete all the granular tokens, too?
@localnerve I wouldn’t expect so (but I couldn’t say 100%). Sounds like you made a config error somewhere? I locked down npm publishing access to require 2FA and disallow tokens and deleted my tokens from GitHub Settings too — I’d also check your Actions yml to make sure the token isn’t being used there
Totally probable misconfig, more probable than not...
I saw that option, but my brain can't grok how I can have 2fa with GHA deployment... Looks like I have more reading to do...
@localnerve it doesn’t do 2FA with GHA, fwiw 😅
Fwiw, my problem was an older version of npm in the GHA runner...
@localnerve ugh, sorry I should have remembered that I ran into that same issue. The error message on that one was very vague too iirc 😭
Appreciate you circling back!
Frederic