Publishing packages
Use trusted publishing where possible
Use trusted publishing if the registry that you are publishing the package to supports it.
Trusted publishing uses OpenID Connect standard (OIDC) to authenticate between your CI system and the package registry, removing the need to store authentication tokens in your environment.
Once trusted publishing is working, disable other methods of authentication in your registry.
Limit the scope of any tokens
If it is not possible to publish your package using trusted publishing, make sure that any authentication tokens used to authenticate with the registry are:
- short-lived
- least-privileged
- auditable
- revocable
- rotatable
Avoid making it possible to publish from other parts of your workflow
Restrict access to the tokens to the parts of your CI/CD pipeline that should be able to publish packages.
Consider using environments
If you are publishing using GitHub Actions, consider using an environment for your publishing workflow, which allows you to introduce additional restrictions. For example, you can restrict releasing from specific branches or require an approval from another user.
If you are publishing using trusted publishing, you can usually specify an environment when setting up the relationship with GitHub Actions in your registry account.
If you are publishing using authentication tokens, consider defining the tokens as environment secrets rather than secrets that are available in all Actions runs. Note that it is not possible to restrict organisation-level secrets to a specific environment.