npm trusted publishing now supports CircleCI - GitHub Changelog
Back to changelog npm trusted publishing now supports CircleCI as an OIDC provider, joining GitHub Actions and GitLab CI/CD. …
Search
GitHub Actions: Early April 2026 updates - GitHub Changelog
… Azure private networking now supports VNET failover Azure private networking for GitHub Actions hosted runners now supports failover networks in public preview. …
Staged publishing and new install-time controls for npm - GitHub Changelog
… We recommend pairing staged publishing with trusted publishing OIDC . A trusted publishing configuration can be limited to stage-only , which means npm publish from that workflow will be rejected and only npm stage publish is accepted. …
Under the hood: Security architecture of GitHub Agentic Workflows
… A shared trust domain is a feature for deterministic automation, enabling broad access, composability, and good performance. But when combined with untrusted agents, having a single trust domain can create a large blast radius if something goes wrong. …
Securing the open source supply chain across GitHub
… Specifically, GitHub partners with the OpenSSF to support this security capability, called trusted publishing, in package repositories, which is now supported across npm, PyPI, NuGet, RubyGems, Crates, and other package repositories. …
What's coming to our GitHub Actions 2026 security roadmap
… With scoped secrets: Secrets are bound directly to trusted workflows Callers don’t automatically pass credentials Trust boundaries are explicit Permission model changes for Action Secrets We’re separating code contributions from credential management. …
Actions OIDC tokens now support repository custom properties - GitHub Changelog
Back to changelog GitHub Actions OpenID Connect OIDC tokens now support repository custom properties as claims. …
Raising the bar: Quality, shared responsibility, and the future of GitHub's bug bounty program
… When an “attack” requires the victim to actively seek out and engage with attacker-controlled content cloning a malicious repo, asking an AI tool to analyze untrusted code, opening a crafted file , the security boundary is the user’s decision to trust that content. …
Security-related product updates - GitHub Blog
… Our plan for a more secure npm supply chain Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem. …
Welcome to Maintainer Month: Celebrating the people behind the code
… Discussion: How should corporations support OSS maintainers? May 14, virtual . An open discussion on corporate OSS support. …