From bb09c7ca6eb52d32b9ddf6530d21d39812473499 Mon Sep 17 00:00:00 2001 From: Jacob Bolda Date: Wed, 24 Jul 2024 08:40:11 -0500 Subject: [PATCH] ci: npm publish with provenance (#1582) * npm publish with provenance * update token to allow creating id-token --- .changes/config.json | 12 +++++++++++- .github/workflows/covector-version-or-publish-v2.yml | 8 ++++++++ .github/workflows/covector-version-or-publish.yml | 8 ++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/.changes/config.json b/.changes/config.json index b01389c47..3e5527246 100644 --- a/.changes/config.json +++ b/.changes/config.json @@ -9,7 +9,17 @@ "url": "https://registry.npmjs.com/${ pkg.pkgFile.pkg.name }/${ pkg.pkgFile.version }" } }, - "publish": ["pnpm build", "pnpm publish --access public --no-git-checks"] + "publish": [ + { + "command": "pnpm build", + "dryRunCommand": "pnpm build" + }, + { + "command": "npm publish --provenance --access public", + "dryRunCommand": "npm publish --provenance --access public --dry-run", + "pipe": true + } + ] }, "rust": { "version": true, diff --git a/.github/workflows/covector-version-or-publish-v2.yml b/.github/workflows/covector-version-or-publish-v2.yml index 37307dee5..0662c688d 100644 --- a/.github/workflows/covector-version-or-publish-v2.yml +++ b/.github/workflows/covector-version-or-publish-v2.yml @@ -9,6 +9,14 @@ on: branches: - v2 +permissions: + # required for npm provenance + id-token: write + # required to create the GitHub Release + contents: write + # required for creating the Version Packages Release + pull-requests: write + jobs: version-or-publish: runs-on: ubuntu-latest diff --git a/.github/workflows/covector-version-or-publish.yml b/.github/workflows/covector-version-or-publish.yml index d705669a8..1828bf2f0 100644 --- a/.github/workflows/covector-version-or-publish.yml +++ b/.github/workflows/covector-version-or-publish.yml @@ -9,6 +9,14 @@ on: branches: - v1 +permissions: + # required for npm provenance + id-token: write + # required to create the GitHub Release + contents: write + # required for creating the Version Packages Release + pull-requests: write + jobs: version-or-publish: runs-on: ubuntu-latest