https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
npmjs.com changes the rules regarding the publication of packages. Basically the use of long term token to publish is not going to possible anymore. This is a good thing for the overall ecosystem but it means we need to do some changes on our own publication pipeline.
Our best bet is to use the recently introduced trusted publishers feature (yeah no more long lived credentials) which means moving our publication process over to GitHub. That's not really a problem in itself: we have an organization setup, we already replicate our sources, have some parts of Tuleap maintained there and npmjs.com is part of GH so the security model does not really change.
However it means we need to setup a GitHub Action workflow. Having been part of already too many incident responses involving GHA we are not going to introduce GHA pipelines to publish production grade packages without a safety net to check the workflows (and it's also mandated by Enalean internal security policies). Zizmor will be used to check the pipelines (that's my motivation for request #45234).
For reference, we are currently publishing the project sidebar (used in the MW theme) and a Prism language definition for TQL.