From a90799a69cb0a62f9103b395c3f26627f0402755 Mon Sep 17 00:00:00 2001 From: Aaron Dewes Date: Wed, 3 Apr 2024 20:04:47 +0200 Subject: [PATCH] feat(security): Add provenance (#2653) * Enable provenance in package.json * Add necessary permissions to the release workflow --- .github/workflows/release.yml | 7 +++++++ package.json | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4d4fe35beb..412df7b5af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,13 @@ name: Release - beta - "*.x" - debug +# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance +permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance + jobs: release: name: release diff --git a/package.json b/package.json index c94c867b1a..a10f1b4fa5 100644 --- a/package.json +++ b/package.json @@ -108,5 +108,8 @@ }, "engines": { "node": ">= 18" + }, + "publishConfig": { + "provenance": true } }