From a55b41a7ac0eaa5864907115d28f65a05ccefd9f Mon Sep 17 00:00:00 2001
From: OB <ob@coroboros.com>
Date: Wed, 20 May 2026 14:09:09 +0700
Subject: [PATCH] fix(javascript-npm-packages): harden npm publish on the token
 bootstrap path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pass --ignore-scripts --access public to npm publish. Defense in
depth against postinstall-worm supply-chain attacks: install-time
scripts are already skipped by pnpm install --frozen-lockfile
--ignore-scripts in javascript/base; the publish flag now also
skips prepack / postpack / publish / postpublish while the
long-lived bootstrap token is in env. prepublishOnly still runs
(known npm publish behavior), but it invokes our own gates from
the frozen lockfile that already ran in the base action.

The bootstrap token's exposure narrows to one publish — switch to
OIDC + provenance via Trusted Publisher for 1.0.1+ to eliminate
the long-lived token entirely.

Bumps 0.1.10 to 0.1.11 and prepends the changelog entry.
---
 .github/workflows/javascript-npm-packages.yml | 2 +-
 CHANGELOG.md                                  | 5 +++++
 package.json                                  | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/javascript-npm-packages.yml b/.github/workflows/javascript-npm-packages.yml
index c5829e4..9948c4a 100644
--- a/.github/workflows/javascript-npm-packages.yml
+++ b/.github/workflows/javascript-npm-packages.yml
@@ -82,7 +82,7 @@ jobs:
             # `files`, same `prepublishOnly`). Full rationale: CHANGELOG
             # v0.1.10.
             npm --version
-            npm publish
+            npm publish --ignore-scripts --access public
           else
             echo "Publishing with OIDC Trusted Publisher + provenance"
             pnpm publish --provenance --no-git-checks
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8c7b8a..8f817ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.1.11 - 20/05/2026
+
+### Fixes
+- `javascript-npm-packages` — pass `--ignore-scripts --access public` to `npm publish` on the token bootstrap path. Defense in depth against postinstall-worm supply-chain attacks: install-time scripts are already skipped by `pnpm install --frozen-lockfile --ignore-scripts` in `javascript/base`; the publish flag now also skips `prepack`/`postpack`/`publish`/`postpublish` while the long-lived bootstrap token is in env. `prepublishOnly` still runs (known `npm publish` behavior — the flag does not cover it), but it invokes our own gates from the frozen lockfile that already ran in the base action. The bootstrap token's exposure narrows to one publish — switch to OIDC + provenance via Trusted Publisher for `1.0.1+` to eliminate the long-lived token entirely.
+
 ## v0.1.10 - 20/05/2026
 
 ### Fixes
diff --git a/package.json b/package.json
index 19ba5a7..0a19b90 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",