release-doctor 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -2
- package/package.json +1 -1
- package/src/cli.js +1 -1
package/README.md
CHANGED
|
@@ -46,12 +46,20 @@ npx release-doctor [path] [options]
|
|
|
46
46
|
--no-color Disable ANSI color
|
|
47
47
|
```
|
|
48
48
|
|
|
49
|
-
Exit code is `0` when clean and `1` when there are errors, so
|
|
49
|
+
Exit code is `0` when clean and `1` when there are errors, so it doubles as a guard in CI.
|
|
50
|
+
|
|
51
|
+
## As a GitHub Action
|
|
52
|
+
|
|
53
|
+
Catch publish-config drift on every PR, before the release job is the thing that fails:
|
|
50
54
|
|
|
51
55
|
```yaml
|
|
52
|
-
-
|
|
56
|
+
- uses: fernforge/release-doctor@v1
|
|
57
|
+
with:
|
|
58
|
+
strict: false # set true to fail on warnings too
|
|
53
59
|
```
|
|
54
60
|
|
|
61
|
+
It runs the same read-only scan and fails the step on any error. No token, no `id-token` permission, nothing to configure — it only reads your workflow files and manifests.
|
|
62
|
+
|
|
55
63
|
## Why trusted publishing, briefly
|
|
56
64
|
|
|
57
65
|
A classic token was a long-lived secret sitting in your repo settings. Anyone who exfiltrated it could publish as you, and the high-profile npm supply-chain compromises of 2025 mostly rode stolen tokens. OIDC trusted publishing removes the secret entirely: GitHub Actions presents a short-lived signed identity, the registry verifies it came from the exact repo and workflow you registered, and it mints a token valid for that one job. Nothing to leak. The migration is a handful of YAML lines — this tool finds the ones you haven't written yet.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "release-doctor",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.2.0",
|
|
4
4
|
"description": "Read-only scanner that checks whether your npm/PyPI publish CI is ready for OIDC trusted publishing, after npm revoked classic tokens (Dec 9 2025). Prints the exact diff to fix.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"release-doctor": "src/cli.js"
|
package/src/cli.js
CHANGED
|
@@ -33,7 +33,7 @@ scanner: it never touches the network, your secrets, or your files. It reads
|
|
|
33
33
|
.github/workflows + package.json/pyproject and prints the exact diff to fix.
|
|
34
34
|
|
|
35
35
|
Usage:
|
|
36
|
-
npx
|
|
36
|
+
npx release-doctor [path] [options]
|
|
37
37
|
|
|
38
38
|
Options:
|
|
39
39
|
--json Machine-readable output
|