Streamline OIDC setup for large monorepos/organizations with many NPM packages #181927
Replies: 5 comments
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
we need an org level trusted publishing, not just package level |
Beta Was this translation helpful? Give feedback.
-
|
I have the same issue. Our organization uses a monorepo to manage projects and previously used Lerna for publishing. Even after migrating to Trusted Publishing, we still need to add the configuration for each package individually, which is almost an unsustainable amount of work. |
Beta Was this translation helpful? Give feedback.
-
|
We're facing the same issue and this slows down the adoption path to trusted publishing. |
Beta Was this translation helpful? Give feedback.
-
|
I completely agree with the concerns raised here. The current OIDC setup process for monorepos is a significant pain point that affects many organizations. The Core Issue As @omercnet pointed out, what we really need is organization-level trusted publishing, not just package-level configuration. The current approach forces us to repeat the same configuration (GitHub repo, workflow file, environment name) for every single package, which becomes increasingly unsustainable as monorepos grow. Real-World Impact As mentioned by @czy88840616 and @slinkydeveloper, this manual overhead is actively slowing down the adoption of trusted publishing. For organizations managing dozens or even hundreds of packages from a single monorepo (like your 54 packages), the current workflow is impractical. The time spent on repetitive configuration could be better used for actual development work. Proposed Solutions
Business Case Trusted publishing is the more secure approach that NPM is encouraging everyone to adopt. However, if the barrier to entry remains this high for monorepo users, it actually works against security adoption. Making this process more efficient would:
I hope the NPM/GitHub team can prioritize this enhancement. It would make a significant difference for the developer experience. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Product Feedback
Body
I have a large monorepo that contains 54 NPM packages in the same NPM organization (
@vitessce, https://www.npmjs.com/search?q=%40vitessce )I need to set up OIDC publishing for all 54 packages in the organization. Currently, this requires me to manually do the following for each individual package (all are in the same repo and specify the same
.ymlworkflow file):This is extremely time consuming. And now i will need to do the same whenever my monorepo expands to define a new package.
A streamlined workflow for NPM organizations is urgently needed. At minimum, it should reduce the number of clicks for such repetitive actions. Ideally, we could configure OIDC publishing for any package (current or future) within the NPM organization using the same settings (same github repo and
.ymlactions workflow file and environment name).Beta Was this translation helpful? Give feedback.
All reactions