Nicholas Zakas

It's just not all the way there yet.

Yeah.

So trusted publishing is basically you go into NPM and for your individual package,

you say, I want to enable trusted publishing from this source code repository specifically, and then this workflow specifically, the exact name of the file.

And when you enable that, then you can

upload your GitHub Actions workflow file into your repository and set the permissions for ID token.

And then GitHub Actions will, when it runs that workflow,

will request a token on your behalf from npm and then bring it back in and use it just for as long as the workflow is running and then that token is no longer useful anymore so basically it's on demand one-time use tokens for npm is that uh used by a lot of maintainers is it well it's not fully implemented though right

Well, so it's partially implemented now without two-factor authentication.

That's the big thing that's missing.

And there are a lot of people who are moving to it specifically because they don't want to have to deal with rotating tokens every 90 days.

That's just a lot of work.

And especially if you consider, I think for me, I might be a maintainer for something like

100 packages, maybe more than that.

I'm not sure.

Some of them are pretty small and inconsequential, but sometimes those are the ones that make their way into larger dependency trees and you can get in trouble with those.

And so the initial reaction from myself and a lot of maintainers, we read the post about the changes,

was like, how are we going to scale this?

How am I going to update all of these packages to do all of this?

And there was no batch operation to update a bunch of packages.