From e9c6d16b81486523dbc7b5af26b5276038a94569 Mon Sep 17 00:00:00 2001 From: Jacob Bandes-Storch Date: Tue, 23 Apr 2024 14:46:57 -0700 Subject: [PATCH] Add provenance attestation when publishing to NPM (#15) ### Changelog None ### Description This adds a provenance attestation to the published package so consumers can verify that the package was built on GitHub Actions: - https://github.blog/2023-04-19-introducing-npm-package-provenance/ - https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions The package will appear like this on npm: --- .github/workflows/ci.yml | 13 ++++++++++++- .vscode/settings.json | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d91b7ba..b8e8d73 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,10 @@ jobs: name: push runs-on: ubuntu-latest + permissions: + # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions + id-token: write + steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 @@ -23,8 +27,15 @@ jobs: - run: yarn install --frozen-lockfile - run: yarn run lint:ci + - run: yarn pack + - name: Publish to NPM (dry run) + # `yarn publish` does not support --provenance + run: npm publish foxglove-rosmsg-msgs-common-*.tgz --provenance --access public --dry-run + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} - name: Publish to NPM if: ${{ startsWith(github.ref, 'refs/tags/v') }} - run: yarn publish --access public + # `yarn publish` does not support --provenance + run: npm publish foxglove-rosmsg-msgs-common-*.tgz --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} diff --git a/.vscode/settings.json b/.vscode/settings.json index 9107ebb..abe4525 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,7 +1,7 @@ // -*- jsonc -*- { "editor.codeActionsOnSave": { - "source.fixAll.eslint": true + "source.fixAll.eslint": "explicit" }, "editor.defaultFormatter": "esbenp.prettier-vscode", "editor.formatOnSave": true,