Add npm publishing provenance

Thinkmill · Nov 29, 2024 · c50dcf1 · c50dcf1
1 parent 6fe0372
commit c50dcf1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,6 +3,10 @@ name: Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   publish:
     name: Publish
@@ -27,5 +31,6 @@ jobs:
         run: pnpm changeset publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - run: git push origin --follow-tags
diff --git a/.github/workflows/publish_snapshot.yml b/.github/workflows/publish_snapshot.yml
@@ -7,6 +7,10 @@ on:
         description: 'The npm tag to publish to'
         required: true
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   publish_snapshot:
     name: Publish (Snapshot)
@@ -36,6 +40,7 @@ jobs:
         run: pnpm changeset publish --tag ${{ inputs.tag }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       # reset, then push the dangling commit
       - name: git push