Skip to content

Commit

Permalink
ci: add provenance to insider packages (#336)
Browse files Browse the repository at this point in the history 
This commit adds provenance for insider packages. See the NPM documentation [0].

Provenance will allow people to verify that the packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.

[0]: https://docs.npmjs.com/generating-provenance-statements
  • Loading branch information
@saibotk @adamwathan
saibotk authored and adamwathan committed Mar 27, 2024
1 parent 04bd9d4 commit 9d4cd55
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion .github/workflows/release-insiders.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
push:
branches: [master]

permissions:
contents: read
id-token: write

jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -49,7 +53,7 @@ jobs:
run: npm version 0.0.0-insiders.${{ steps.vars.outputs.sha_short }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag insiders
run: npm publish --provenance --tag insiders
env:
CI: true
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 comments on commit 9d4cd55

Please sign in to comment.