From c50dcf144751e3982c6e153d0119302f8350a07c Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 10:43:06 +1000 Subject: [PATCH 1/5] Add npm publishing provenance --- .github/workflows/publish.yml | 5 +++++ .github/workflows/publish_snapshot.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5030b9494..886571d96 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,6 +3,10 @@ name: Publish on: workflow_dispatch: +permissions: + contents: write + id-token: write + jobs: publish: name: Publish @@ -27,5 +31,6 @@ jobs: run: pnpm changeset publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true - run: git push origin --follow-tags diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml index 8cfdb2fbe..f82f95396 100644 --- a/.github/workflows/publish_snapshot.yml +++ b/.github/workflows/publish_snapshot.yml @@ -7,6 +7,10 @@ on: description: 'The npm tag to publish to' required: true +permissions: + contents: write + id-token: write + jobs: publish_snapshot: name: Publish (Snapshot) @@ -36,6 +40,7 @@ jobs: run: pnpm changeset publish --tag ${{ inputs.tag }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true # reset, then push the dangling commit - name: git push From d19397aba012fd16854dc4713d820c3e8b3295ec Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 10:44:49 +1000 Subject: [PATCH 2/5] changeset --- .changeset/soft-guests-film.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .changeset/soft-guests-film.md diff --git a/.changeset/soft-guests-film.md b/.changeset/soft-guests-film.md new file mode 100644 index 000000000..03769f936 --- /dev/null +++ b/.changeset/soft-guests-film.md @@ -0,0 +1,13 @@ +--- +'@keystar/ui': patch +'@keystatic/astro': patch +'@keystatic/create': patch +'@keystatic/core': patch +'@keystatic/next': patch +'@keystatic/remix': patch +'@keystatic/templates-astro': patch +'@keystatic/templates-nextjs': patch +'@keystatic/templates-remix': patch +--- + +Add npm publishing provenance From b80111f32042cffbdc15974147e1c9e202284300 Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 11:03:04 +1000 Subject: [PATCH 3/5] Add repository field to templates/* --- templates/astro/package.json | 5 +++++ templates/nextjs/package.json | 5 +++++ templates/remix/package.json | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/templates/astro/package.json b/templates/astro/package.json index 8a5d05a10..6aa8db491 100644 --- a/templates/astro/package.json +++ b/templates/astro/package.json @@ -2,6 +2,11 @@ "name": "@keystatic/templates-astro", "version": "0.0.54", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/astro" + }, "scripts": { "dev": "astro dev", "start": "astro dev", diff --git a/templates/nextjs/package.json b/templates/nextjs/package.json index f8ff13933..117603887 100644 --- a/templates/nextjs/package.json +++ b/templates/nextjs/package.json @@ -2,6 +2,11 @@ "name": "@keystatic/templates-nextjs", "version": "0.0.55", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/nextjs" + }, "scripts": { "build": "next build", "dev": "next dev", diff --git a/templates/remix/package.json b/templates/remix/package.json index 9919a2952..75a0c4d11 100644 --- a/templates/remix/package.json +++ b/templates/remix/package.json @@ -3,6 +3,11 @@ "type": "module", "version": "0.0.42", "license": "MIT", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "templates/remix" + }, "scripts": { "build": "remix vite:build", "dev": "remix vite:dev", From 77f8057947d7f1a84c2c6324b8baf378ef648bf3 Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 11:04:58 +1000 Subject: [PATCH 4/5] Remove input from publish_snapshot workflow since it's always constant --- .github/workflows/publish_snapshot.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml index f82f95396..48ded681f 100644 --- a/.github/workflows/publish_snapshot.yml +++ b/.github/workflows/publish_snapshot.yml @@ -2,10 +2,6 @@ name: Publish (Snapshot) on: workflow_dispatch: - inputs: - tag: - description: 'The npm tag to publish to' - required: true permissions: contents: write @@ -37,7 +33,7 @@ jobs: - run: pnpm build:packages - name: npm publish, git tag - run: pnpm changeset publish --tag ${{ inputs.tag }} + run: pnpm changeset publish --tag test env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true From 6a6685f87510ba7bdde114eebb642377e520714d Mon Sep 17 00:00:00 2001 From: Emma Hamilton Date: Fri, 29 Nov 2024 11:13:38 +1000 Subject: [PATCH 5/5] Add repository field to @keystar/ui --- design-system/pkg/package.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/design-system/pkg/package.json b/design-system/pkg/package.json index 02fa041f4..a267b3892 100644 --- a/design-system/pkg/package.json +++ b/design-system/pkg/package.json @@ -4,6 +4,11 @@ "license": "MIT AND Apache-2.0", "main": "", "module": "", + "repository": { + "type": "git", + "url": "https://github.com/Thinkmill/keystatic/", + "directory": "design-system/pkg" + }, "scripts": { "build-icons": "tsx build-icons.ts && cd ../.. && pnpm preconstruct fix" },