Keyless npm, 54% faster Mac builds, and trunk-based CI limits

npm trusted publishing now supports CircleCI as an OIDC provider, joining GitHub Actions and GitLab CI/CD. CircleCI maintainers can eliminate stored npm credentials entirely and authenticate directly through the pipeline using short-lived tokens.
Configuration is available via the npm website or the npm trust CLI command. With CircleCI added, trusted publishing now covers a large majority of npm publishers by CI provider.

A detailed breakdown of GitHub Actions' 2026 security roadmap shows OIDC custom claims are GA now; workflow dependency locking (SHA pinning enforced for third-party Actions), a native L7 egress firewall, and scoped secrets are all targeting Q3 2026–H1 2027. The roadmap is a direct response to the 2025 tj-actions compromise.
Code scanning batch-apply fixes hit GA on April 7: multiple alerts can now be resolved in a single commit and trigger one scan run instead of one per fix. This directly reduces wasted CI cycles during security triage on active PRs.
The post-tj-actions hardening baseline for 2026 is: pin all third-party Actions to full commit SHAs (not tags), generate GitHub Artifact Attestations via Sigstore for signed provenance, and enforce SLSA Build Level 3 (hardened, ephemeral, isolated build environments). Signatures without policy enforcement are treated as telemetry, not a control.

Bitrise Build Hub is a drop-in replacement for GitHub's macOS runners activated with one line of YAML: runs-on: bitrise-m4-pro. Hardware: M4 Pro, 14 vCPU, 54 GB RAM vs. GitHub's M2 Pro with 5 vCPU/14 GB.
Benchmark results show 54% faster Mac builds and 31% faster Android builds vs. GitHub-hosted runners. Cache is co-located with runners: 100 GB KV storage for dependencies vs. GitHub's 10 GB cap; teams combining KV and build caching report up to 90% total build time reduction.
Xcode versions (beta and GA) are deployed within 24 hours of Apple's release. Each build runs on an ephemeral VM destroyed after completion, eliminating environment drift. 99.9% uptime SLA is publicly tracked.

A practical analysis of trunk-based development failures identifies slow CI as an architectural blocker: pipelines over 20 minutes cause developers to batch changes, which grows PRs, which slows reviews, which extends branch lifetime — defeating the model entirely. The 2026 rule of thumb: CI under 10 minutes is acceptable; under 5 minutes is required for true trunk-based flow.
The same analysis finds the other two structural prerequisites are PR size limits (soft cap ~300 lines, hard requirement: mergeable same day) and feature flags for incomplete work. Without flags, developers hold branches open to avoid shipping unfinished features — the primary cause of divergence in teams that claim trunk-based development but don't practice it.

Datadog Experiments is now generally available, built on Datadog's acquisition of Eppo. Product teams can design, run, and measure A/B tests directly inside Datadog with results consolidated into a single dashboard — no separate experimentation platform required.
The release integrates with Datadog's existing Feature Flags platform for managing phased rollouts, connecting flag state to experiment outcomes in one view. The core tradeoff: teams consolidate signal but take a harder dependency on Datadog as both their observability and experimentation layer.

Get CI/CD & Release Engineering Briefing in your inbox