Research npm token renewal for CLI releases #279

New issue

Closed

opened 2026-05-11 02:02:14 +00:00 by barrettruth · 0 comments

barrettruth commented 2026-05-11 02:02:14 +00:00

Owner

Copy link

Problem

The CLI release workflow publishes @barrettruth/delta through the Forgejo NPM_TOKEN Actions secret. The current npm token is short-lived and was created with an expiration date of 2026-06-09, so CLI publishing will fail unless we rotate or renew it before then.

Questions

• Does npm support renewing an existing token, or must maintainers create a replacement token each time?
• Can rotation be automated without introducing a more privileged long-lived credential?
• Should SOPS be the source of truth for this token, with a sync step that updates the Forgejo Actions secret?
• Should just release cli ... --tag check token age/expiry before pushing a release tag?

Acceptance criteria

• Document the recommended renewal or rotation path.
• Add any needed SOPS-to-Forgejo secret sync or manual runbook.
• Add a release-time warning or preflight if manual rotation remains required.
• Ensure no token values appear in Git, issues, logs, PR descriptions, or release artifacts.

## Problem The CLI release workflow publishes @barrettruth/delta through the Forgejo `NPM_TOKEN` Actions secret. The current npm token is short-lived and was created with an expiration date of 2026-06-09, so CLI publishing will fail unless we rotate or renew it before then. ## Questions - Does npm support renewing an existing token, or must maintainers create a replacement token each time? - Can rotation be automated without introducing a more privileged long-lived credential? - Should SOPS be the source of truth for this token, with a sync step that updates the Forgejo Actions secret? - Should `just release cli ... --tag` check token age/expiry before pushing a release tag? ## Acceptance criteria - Document the recommended renewal or rotation path. - Add any needed SOPS-to-Forgejo secret sync or manual runbook. - Add a release-time warning or preflight if manual rotation remains required. - Ensure no token values appear in Git, issues, logs, PR descriptions, or release artifacts.

barrettruth added the

track:infra

type:research

labels 2026-05-11 02:02:14 +00:00

barrettruth referenced this issue 2026-05-11 18:31:12 +00:00

v0.1.0 roadmap: single-user self-hosted launch #144

barrettruth referenced this issue 2026-05-11 20:07:02 +00:00

Add CLI npm token rotation guard #344

barrettruth referenced this issue from a commit 2026-05-11 20:08:21 +00:00

Add CLI npm token rotation guard (#344)

barrettruth closed this issue 2026-05-11 20:19:11 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/software-sync

ship/delta-codex-skill

fix/cli-filter-args

fix-calendar-g-leader-shortcuts

harden-keyboard-capture

fix-queue-gc-hard-refresh

fix/task-panel-scroll-restoration

fix/calendar-quick-add-preview-stability

fix/467-local-first-shortcuts

docs/nixos-self-hosting-first-pass

calendar-elapsed-events

calendar-active-day-blue

calendar-outline-no-fill

calendar-neutral-day-state

fix-calendar-drag-visual-position

issue-364-task-api-route-adapters

issue-362-manpage-drift

issue-315-geocoding-config

release/cli-0.0.5

release/cli-0.0.4

fix/task-panel-save-atomicity

settings-modal

feat/add-task-external-links

feat/reminder-transport-settings

feat/reminder-foundation

build/oidc-release-pipeline

fix/settings-cleanup

fix/remove-oauth-config-ui

cli-v0.0.6

cli-v0.0.5

cli-v0.0.4

nightly-20260426

cli-v0.0.2

Labels

Clear labels   

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

status:blocked

Blocked on a decision, credential, or external dependency

  

track:api

API layer track

  

track:auto

Automation track

  

track:core

Core engine track

  

track:deploy

Deployment track

  

track:infra

Infrastructure track

  

track:ui

Web UI track

  

type:cleanup

Small cleanup, polish, or consolidation work

  

type:docs

Documentation and operator guidance

  

type:epic

Umbrella issue that coordinates related work

  

type:release

Release, packaging, and versioning work

  

type:research

Decision or investigation work before implementation

  

wontfix

This will not be worked on

No labels

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

status:blocked

track:api

track:auto

track:core

track:deploy

track:infra

track:ui

type:cleanup

type:docs

type:epic

type:release

type:research

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

barrettruth/delta#279

No description provided.