barrettruth/delta
1
0
Fork 0
Code Issues 6 Pull requests 1 Releases 3 Packages Activity Actions

Add CLI npm token rotation guard #344

Merged
barrettruth merged 1 commit from fix/cli-npm-token-rotation-279 into main 2026-05-11 20:08:21 +00:00
Conversation 0 Commits 1 Files changed 3 +258 -9
barrettruth commented 2026-05-11 20:07:02 +00:00
Owner
Copy link

Problem

The CLI release workflow publishes @barrettruth/delta with Forgejo Actions secret NPM_TOKEN. That npm token expires on 2026-06-09, and npm does not support renewing the existing token in place.

Solution

  • Document the rotation decision and runbook for the current Forgejo-based release path.
  • Add a SOPS-to-Forgejo sync helper that reads the encrypted token without printing it and updates NPM_TOKEN plus NPM_TOKEN_EXPIRES_AT.
  • Extend the CLI tag preflight to check NPM_TOKEN, read expiry metadata, and warn/block before pushing a release tag with stale token state.

Verification

  • bash -n scripts/version/bump.sh scripts/version/sync-npm-token-from-sops.sh
  • git diff --check
  • nix shell nixpkgs#sops -c sh -c 'sops -d --extract '''["data"]''' "$HOME/.config/nix/secrets/vps/forgejo-action-delta-npm-token" | wc -c'
  • direnv exec . nix develop --command just ci

Refs #279

## Problem The CLI release workflow publishes @barrettruth/delta with Forgejo Actions secret NPM_TOKEN. That npm token expires on 2026-06-09, and npm does not support renewing the existing token in place. ## Solution - Document the rotation decision and runbook for the current Forgejo-based release path. - Add a SOPS-to-Forgejo sync helper that reads the encrypted token without printing it and updates NPM_TOKEN plus NPM_TOKEN_EXPIRES_AT. - Extend the CLI tag preflight to check NPM_TOKEN, read expiry metadata, and warn/block before pushing a release tag with stale token state. ## Verification - bash -n scripts/version/bump.sh scripts/version/sync-npm-token-from-sops.sh - git diff --check - nix shell nixpkgs#sops -c sh -c 'sops -d --extract '\''["data"]'\'' "$HOME/.config/nix/secrets/vps/forgejo-action-delta-npm-token" | wc -c' - direnv exec . nix develop --command just ci Refs #279
Add CLI npm token rotation guard
All checks were successful
quality / Test (pull_request) Successful in 15s
Details
quality / Lint (pull_request) Successful in 21s
Details
quality / Build (pull_request) Successful in 42s
Details
58edee2c9e
barrettruth deleted branch fix/cli-npm-token-rotation-279 2026-05-11 20:08:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
status:blocked
Blocked on a decision, credential, or external dependency

  
track:api
API layer track

  
track:auto
Automation track

  
track:core
Core engine track

  
track:deploy
Deployment track

  
track:infra
Infrastructure track

  
track:ui
Web UI track

  
type:cleanup
Small cleanup, polish, or consolidation work

  
type:docs
Documentation and operator guidance

  
type:epic
Umbrella issue that coordinates related work

  
type:release
Release, packaging, and versioning work

  
type:research
Decision or investigation work before implementation

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
status:blocked
track:api
track:auto
track:core
track:deploy
track:infra
track:ui
type:cleanup
type:docs
type:epic
type:release
type:research
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/delta!344
No description provided.