From a361b0a551b62e08c25c2506103643046fb7b631 Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 11:18:03 +1000 Subject: [PATCH] Add npm publishing provenance (#1367) --- .changeset/soft-guests-film.md | 13 +++++++++++++ .github/workflows/publish.yml | 5 +++++ .github/workflows/publish_snapshot.yml | 11 ++++++----- design-system/pkg/package.json | 5 +++++ templates/astro/package.json | 5 +++++ templates/nextjs/package.json | 5 +++++ templates/remix/package.json | 5 +++++ 7 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 .changeset/soft-guests-film.md diff --git a/.changeset/soft-guests-film.md b/.changeset/soft-guests-film.md new file mode 100644 index 000000000..03769f936 --- /dev/null +++ b/.changeset/soft-guests-film.md @@ -0,0 +1,13 @@ +--- +'@keystar/ui': patch +'@keystatic/astro': patch +'@keystatic/create': patch +'@keystatic/core': patch +'@keystatic/next': patch +'@keystatic/remix': patch +'@keystatic/templates-astro': patch +'@keystatic/templates-nextjs': patch +'@keystatic/templates-remix': patch +--- + +Add npm publishing provenance diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5030b9494..886571d96 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,6 +3,10 @@ name: Publish on: workflow_dispatch: +permissions: + contents: write + id-token: write + jobs: publish: name: Publish @@ -27,5 +31,6 @@ jobs: run: pnpm changeset publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true - run: git push origin --follow-tags diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml index 8cfdb2fbe..48ded681f 100644 --- a/.github/workflows/publish_snapshot.yml +++ b/.github/workflows/publish_snapshot.yml @@ -2,10 +2,10 @@ name: Publish (Snapshot) on: workflow_dispatch: - inputs: - tag: - description: 'The npm tag to publish to' - required: true + +permissions: + contents: write + id-token: write jobs: publish_snapshot: @@ -33,9 +33,10 @@ jobs: - run: pnpm build:packages - name: npm publish, git tag - run: pnpm changeset publish --tag ${{ inputs.tag }} + run: pnpm changeset publish --tag test env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true # reset, then push the dangling commit - name: git push diff --git a/design-system/pkg/package.json b/design-system/pkg/package.json index 02fa041f4..a267b3892 100644 --- a/design-system/pkg/package.json +++ b/design-system/pkg/package.json @@ -4,6 +4,11 @@ "license": "MIT AND Apache-2.0", "main": "", "module": "", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "design-system/pkg" + }, "scripts": { "build-icons": "tsx build-icons.ts && cd ../.. && pnpm preconstruct fix" }, diff --git a/templates/astro/package.json b/templates/astro/package.json index 8a5d05a10..6aa8db491 100644 --- a/templates/astro/package.json +++ b/templates/astro/package.json @@ -2,6 +2,11 @@ "name": "@keystatic/templates-astro", "version": "0.0.54", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/astro" + }, "scripts": { "dev": "astro dev", "start": "astro dev", diff --git a/templates/nextjs/package.json b/templates/nextjs/package.json index f8ff13933..117603887 100644 --- a/templates/nextjs/package.json +++ b/templates/nextjs/package.json @@ -2,6 +2,11 @@ "name": "@keystatic/templates-nextjs", "version": "0.0.55", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/nextjs" + }, "scripts": { "build": "next build", "dev": "next dev", diff --git a/templates/remix/package.json b/templates/remix/package.json index 9919a2952..75a0c4d11 100644 --- a/templates/remix/package.json +++ b/templates/remix/package.json @@ -3,6 +3,11 @@ "type": "module", "version": "0.0.42", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/remix" + }, "scripts": { "build": "remix vite:build", "dev": "remix vite:dev",