From c2d9ea3d38fe77ac3f844a2d71220ddf427a63d2 Mon Sep 17 00:00:00 2001 From: Jacob Bandes-Storch Date: Fri, 10 May 2024 11:51:39 -0700 Subject: [PATCH] Add provenance attestation when publishing to NPM (#124) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Changelog None ### Docs None ### Description Forgot to do this before publishing 1.0.0 😅 This adds a provenance attestation to the published package so consumers can verify that the package was built on GitHub Actions: - https://github.blog/2023-04-19-introducing-npm-package-provenance/ - https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions The package will appear like this on npm: --- .github/workflows/npm-publish.yml | 9 +++++++-- package.json | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index e39054c..b21cc15 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -7,6 +7,11 @@ on: jobs: build: runs-on: ubuntu-latest + + permissions: + # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions + id-token: write + steps: - uses: actions/checkout@v2.3.4 with: @@ -15,10 +20,10 @@ jobs: - name: Configure Node.js uses: actions/setup-node@v2.1.5 with: - node-version: 16.x + node-version: 20.x registry-url: https://registry.npmjs.org/ - run: yarn install --immutable - - run: npm publish --access public + - run: npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{secrets.NPM_PUBLISH_TOKEN}} diff --git a/package.json b/package.json index 89faead..38fb4a5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "create-foxglove-extension", - "version": "1.0.0", + "version": "1.0.1", "publisher": "foxglove", "description": "Create and package Foxglove extensions", "license": "MIT",