Enhance security recommendations for trusted publishers #1703
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the security documentation for trusted publishers by adding a new section that recommends restricting traditional token access when using OIDC-based trusted publishers.
- Adds guidance for configuring maximum security by disallowing non-OIDC tokens
- Provides step-by-step instructions for enabling the "disallow tokens" setting
- Includes migration tips for users transitioning from token-based to trusted publishing
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - **Allows** publishing through trusted publishers (OIDC) | ||
| - **Blocks** all personal access tokens and automation tokens | ||
| - **Reduces** the risk of unauthorized publishing | ||
| - **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab. |
There was a problem hiding this comment.
The sentence ends with 'GitLab.' but should end with 'GitLab CI/CD.' for consistency with the previous mention of 'GitLab CI/CD' and to be more descriptive.
| - **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab. | |
| - **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab CI/CD. |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
@leobalter I've added some comments - Feel free to ignore. 😉
|
|
||
| 1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access** | ||
| 2. Select **"Require two-factor authentication and disallow tokens"** | ||
| 3. Save your changes |
There was a problem hiding this comment.
| 3. Save your changes | |
| 3. Save your changes by clicking on **Update Package Settings** |
| 2. Select **"Require two-factor authentication and disallow tokens"** | ||
| 3. Save your changes | ||
|
|
||
| This configuration: |
There was a problem hiding this comment.
I'm not sure if this section is needed, I like the one below better (and think it's enough)
| If you're transitioning from token-based publishing: | ||
| 1. Set up trusted publishers first and verify they work | ||
| 2. Then restrict token access as described above | ||
| 3. Revoke any existing automation tokens that are no longer needed |
There was a problem hiding this comment.
As I understand it those tokens could be on different users, right? I don't know if it should be mentioned here. (Might need to inform other people to delete their tokens)
Improve OIDC docs recommending disallowing non-OIDC tokens.
References