From 4cb65a2a303d1df3138fa9f26cd243d621a34378 Mon Sep 17 00:00:00 2001 From: Garen Torikian Date: Wed, 8 Apr 2026 16:30:56 -0400 Subject: [PATCH] Delete .github/workflows/fix-latest.yml During a routine security review today, I discovered that we have an `NPM_TOKEN` stored in this repo. I didn't think we used these as we had moved on to [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers/). Turns out, there's this old workflow from https://github.com/workos/workos-node/pull/1002 which makes use of it. I don't really feel comfortable having tokens we're not using, used in actions we're not using, so by the power vested in me, I'm going to delete this action, merge the PR, and remove the GitHub secret. cc @marji-workos --- .github/workflows/fix-latest.yml | 36 -------------------------------- 1 file changed, 36 deletions(-) delete mode 100644 .github/workflows/fix-latest.yml diff --git a/.github/workflows/fix-latest.yml b/.github/workflows/fix-latest.yml deleted file mode 100644 index 31f49eb66..000000000 --- a/.github/workflows/fix-latest.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Fix @latest tag - -on: - workflow_dispatch: - inputs: - latest-version: - description: 'The version that should be @latest, e.g. "6.7.0"' - required: true - type: string - -defaults: - run: - shell: bash - -jobs: - test: - name: Update @latest tag - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # 6.3.0 - with: - node-version: 22 - registry-url: 'https://registry.npmjs.org' - - - name: Install Dependencies - run: | - npm install - - - name: Tag - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - LATEST_VERSION: ${{ inputs.latest-version }} - run: | - echo "Setting @workos-inc/node@latest to $LATEST_VERSION" - npm dist-tag add @workos-inc/node@$LATEST_VERSION latest