From c50dcf144751e3982c6e153d0119302f8350a07c Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 10:43:06 +1000 Subject: [PATCH] Add npm publishing provenance --- .github/workflows/publish.yml | 5 +++++ .github/workflows/publish_snapshot.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5030b9494..886571d96 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,6 +3,10 @@ name: Publish on: workflow_dispatch: +permissions: + contents: write + id-token: write + jobs: publish: name: Publish @@ -27,5 +31,6 @@ jobs: run: pnpm changeset publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true - run: git push origin --follow-tags diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml index 8cfdb2fbe..f82f95396 100644 --- a/.github/workflows/publish_snapshot.yml +++ b/.github/workflows/publish_snapshot.yml @@ -7,6 +7,10 @@ on: description: 'The npm tag to publish to' required: true +permissions: + contents: write + id-token: write + jobs: publish_snapshot: name: Publish (Snapshot) @@ -36,6 +40,7 @@ jobs: run: pnpm changeset publish --tag ${{ inputs.tag }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true # reset, then push the dangling commit - name: git push