Tbf the new trusted publishers goes a long way to improving this (not used by this package by the look of it). I migrated a few of my packages to it, and now:
- publishing with an API token is forbidden, must use the specified workflow w/ OIDC auth
- an explicit approval step in GitHub is required to run the publish workflow (you can also set a time delay, similar to time release safes)
- publishing with an API token is forbidden, must use the specified workflow w/ OIDC auth
- an explicit approval step in GitHub is required to run the publish workflow (you can also set a time delay, similar to time release safes)
- provenance is generated and published
Ref: https://docs.npmjs.com/trusted-publishers/