Skip to content

Commit

Permalink
ci: add provenance to insider packages (#154)
Browse files Browse the repository at this point in the history
This commit adds provenance for insider packages. See the NPM documentation [0].

Provenance will allow people to verify that the packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.

[0]: https://docs.npmjs.com/generating-provenance-statements
  • Loading branch information
saibotk authored Mar 22, 2024
1 parent e6bcd1f commit c9d9da3
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/release-insiders.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
push:
branches: [master]

permissions:
contents: read
id-token: write

jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -40,11 +44,11 @@ jobs:
id: vars
run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"

- name: "Version based on commit: 0.0.0-insiders.${{ steps.vars.outputs.sha_short }}"
- name: 'Version based on commit: 0.0.0-insiders.${{ steps.vars.outputs.sha_short }}'
run: npm version 0.0.0-insiders.${{ steps.vars.outputs.sha_short }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag insiders
run: npm publish --provenance --tag insiders
env:
CI: true
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 comments on commit c9d9da3

Please sign in to comment.