Add npm publishing provenance (#1367)

Thinkmill · Nov 29, 2024 · a361b0a · a361b0a
1 parent 6fe0372
commit a361b0a
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 5 deletions.
diff --git a/.changeset/soft-guests-film.md b/.changeset/soft-guests-film.md
@@ -0,0 +1,13 @@
+---
+'@keystar/ui': patch
+'@keystatic/astro': patch
+'@keystatic/create': patch
+'@keystatic/core': patch
+'@keystatic/next': patch
+'@keystatic/remix': patch
+'@keystatic/templates-astro': patch
+'@keystatic/templates-nextjs': patch
+'@keystatic/templates-remix': patch
+---
+
+Add npm publishing provenance
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,6 +3,10 @@ name: Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   publish:
     name: Publish
@@ -27,5 +31,6 @@ jobs:
         run: pnpm changeset publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - run: git push origin --follow-tags
diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml
@@ -2,10 +2,10 @@ name: Publish (Snapshot)
 
 on:
   workflow_dispatch:
-    inputs:
-      tag:
-        description: 'The npm tag to publish to'
-        required: true
+
+permissions:
+  contents: write
+  id-token: write
 
 jobs:
   publish_snapshot:
@@ -33,9 +33,10 @@ jobs:
       - run: pnpm build:packages
 
       - name: npm publish, git tag
-        run: pnpm changeset publish --tag ${{ inputs.tag }}
+        run: pnpm changeset publish --tag test
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       # reset, then push the dangling commit
       - name: git push

diff --git a/design-system/pkg/package.json b/design-system/pkg/package.json
@@ -4,6 +4,11 @@
   "license": "MIT AND Apache-2.0",
   "main": "",
   "module": "",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Thinkmill/keystatic/",
+    "directory": "design-system/pkg"
+  },
   "scripts": {
     "build-icons": "tsx build-icons.ts && cd ../.. && pnpm preconstruct fix"
   },

diff --git a/templates/astro/package.json b/templates/astro/package.json
@@ -2,6 +2,11 @@
   "name": "@keystatic/templates-astro",
   "version": "0.0.54",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Thinkmill/keystatic/",
+    "directory": "templates/astro"
+  },
   "scripts": {
     "dev": "astro dev",
     "start": "astro dev",

diff --git a/templates/nextjs/package.json b/templates/nextjs/package.json
@@ -2,6 +2,11 @@
   "name": "@keystatic/templates-nextjs",
   "version": "0.0.55",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Thinkmill/keystatic/",
+    "directory": "templates/nextjs"
+  },
   "scripts": {
     "build": "next build",
     "dev": "next dev",

diff --git a/templates/remix/package.json b/templates/remix/package.json
@@ -3,6 +3,11 @@
   "type": "module",
   "version": "0.0.42",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Thinkmill/keystatic/",
+    "directory": "templates/remix"
+  },
   "scripts": {
     "build": "remix vite:build",
     "dev": "remix vite:dev",