From 62ff0074d9a3f82e46f5c62db85c04d87ff5e931 Mon Sep 17 00:00:00 2001 From: HiDeoo <494699+HiDeoo@users.noreply.github.com> Date: Fri, 13 Dec 2024 14:34:12 +0100 Subject: [PATCH 1/2] Publish provenance for public packages (#2664) --- .changeset/sweet-poems-smoke.md | 8 ++++++++ .github/workflows/release.yml | 3 +++ packages/docsearch/package.json | 3 +++ packages/markdoc/package.json | 3 +++ packages/starlight/package.json | 3 +++ packages/tailwind/package.json | 3 +++ 6 files changed, 23 insertions(+) create mode 100644 .changeset/sweet-poems-smoke.md diff --git a/.changeset/sweet-poems-smoke.md b/.changeset/sweet-poems-smoke.md new file mode 100644 index 00000000000..a4835124ca7 --- /dev/null +++ b/.changeset/sweet-poems-smoke.md @@ -0,0 +1,8 @@ +--- +'@astrojs/starlight-docsearch': patch +'@astrojs/starlight': patch +'@astrojs/starlight-tailwind': patch +'@astrojs/starlight-markdoc': patch +--- + +Publishes provenance containing verifiable data to link a package back to its source repository and the specific build instructions used to publish it. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe406013740..cdca8a2b322 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,9 @@ jobs: name: Release if: ${{ github.repository_owner == 'withastro' }} runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout Repo uses: actions/checkout@v4 diff --git a/packages/docsearch/package.json b/packages/docsearch/package.json index 389da579097..e80bc275396 100644 --- a/packages/docsearch/package.json +++ b/packages/docsearch/package.json @@ -33,5 +33,8 @@ }, "devDependencies": { "@astrojs/starlight": "workspace:*" + }, + "publishConfig": { + "provenance": true } } diff --git a/packages/markdoc/package.json b/packages/markdoc/package.json index f1c4298b944..0218a059058 100644 --- a/packages/markdoc/package.json +++ b/packages/markdoc/package.json @@ -24,5 +24,8 @@ "peerDependencies": { "@astrojs/markdoc": "^0.11.4", "@astrojs/starlight": ">=0.23.0" + }, + "publishConfig": { + "provenance": true } } diff --git a/packages/starlight/package.json b/packages/starlight/package.json index ea30d750d27..730a708af8d 100644 --- a/packages/starlight/package.json +++ b/packages/starlight/package.json @@ -212,5 +212,8 @@ "unified": "^11.0.5", "unist-util-visit": "^5.0.0", "vfile": "^6.0.2" + }, + "publishConfig": { + "provenance": true } } diff --git a/packages/tailwind/package.json b/packages/tailwind/package.json index 999e0691fef..5b137cb51e6 100644 --- a/packages/tailwind/package.json +++ b/packages/tailwind/package.json @@ -32,5 +32,8 @@ "@astrojs/starlight": ">=0.9.0", "@astrojs/tailwind": "^5.0.0", "tailwindcss": "^3.3.3" + }, + "publishConfig": { + "provenance": true } } From cb3cb21f12ccd7c2bd9eb86bed65cd8096dc18e2 Mon Sep 17 00:00:00 2001 From: Chris Swithinbank Date: Fri, 13 Dec 2024 14:47:51 +0100 Subject: [PATCH 2/2] Fix release workflow permissions (#2665) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cdca8a2b322..eb4a7cce26a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: if: ${{ github.repository_owner == 'withastro' }} runs-on: ubuntu-latest permissions: - contents: read + contents: write id-token: write steps: - name: Checkout Repo