From 32db45e793ef5ab2caba8aac2d5b098fc70ce0fa Mon Sep 17 00:00:00 2001
From: Simon Boudrias <admin@simonboudrias.com>
Date: Thu, 9 Jan 2025 17:39:37 -0500
Subject: [PATCH] Security: require 2FA for publish

---
 .gitignore      |  1 +
 CONTRIBUTING.md | 12 ++++++++++--
 package.json    |  1 +
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8ae2e294a..63d8b788e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ coverage
 !.yarn/versions
 .turbo
 .DS_Store
+publish.env
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index aed75746d..291e23b5e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -73,8 +73,16 @@ yarn demo
 
 ## Publishing new versions
 
-Note: This can only be done by someone with permission to the org on `npm`.
+Note: This can only be done by someone with permission to the org on `npm` and requires 2FA setup.
 
 ```sh
-yarn lerna publish
+yarn publish
 ```
+
+You'll need to add a `./publish.env` at the root of the repo. And inside define your 2FA codes:
+
+```
+NPM_CONFIG_OTP=""
+```
+
+The publish alias relies on 1password for developer to fetch the private information.
diff --git a/package.json b/package.json
index e4e21926c..9395cb0be 100644
--- a/package.json
+++ b/package.json
@@ -53,6 +53,7 @@
     "internals/*"
   ],
   "scripts": {
+    "publish": "op run --env-file='./publish.env' -- yarn lerna publish",
     "demo": "node --watch-path=packages/ packages/demo/dist/esm/index.js",
     "dev": "turbo watch tsc",
     "prepare": "husky && turbo tsc attw",