feat(issue 285): Add provenance support #294
Conversation
AlanSl
changed the title
README.md
Outdated
| - In the `.yml` file that configures your release action: | ||
| - Add `provenance: true` to your list of **inputs** | ||
| - Add `id-token: write` to your list of **permissions** | ||
| - Ensure your CI runner uses NPM >= 9.5.0 (should be the default if Node >= 18) |
There was a problem hiding this comment.
how do we ensure this? is it something that the user needs to do or, since this is an action, we can do that ourselves and therefore not delegate this responsibility to the user?
There was a problem hiding this comment.
The current approach appears to have been that we do delegate this responsibility to the user, but we provide them with a working example config to follow (a .github/workflows/release.yml containing runs-on: ubuntu-latest). The readme said:
It is important to be aware that you are responsible for:
- The context where the command is executed.
The command will be executed using the current GitHub runner configuration (e.g. the one set onruns-on).
You can customize it by...
But we can probably drop or amend this line since our recommended image already provides NPM 9.5.1, so they'll already get a valid version unless they deviated from our guidance. If they did for some reason, we give an informative error message, then beyond that, it's on them.
There was a problem hiding this comment.
I've reworked this section in the "Rework readme advice" commit
README.md
Outdated
| - Add `provenance: true` to your list of **inputs** | ||
| - Add `id-token: write` to your list of **permissions** | ||
| - Ensure your CI runner uses NPM >= 9.5.0 (should be the default if Node >= 18) | ||
| - Ensure your `package.json` is complete and correct. NPM will cancel the release with specific errors if it finds a problem. Requirements may change in future NPM releases but include things like a `"repository"` field with `"url"` property matching the format `"git+https://github.com/user/repo"`. |
There was a problem hiding this comment.
is there documentation about this? I mean saying that the package file needs to be "complete and correct" isn't quite enough if provenance imposes additional constraints. either list the constraints or, even better, link to where these constraints are explained in the official docs
There was a problem hiding this comment.
Sadly they're not documented (nor is it straightforward to see requirements in the source).
I've reworked this section in the "Rework readme advice" commit.
README.md
Outdated
| - Ensure your CI runner uses NPM >= 9.5.0 (should be the default if Node >= 18) | ||
| - Ensure your `package.json` is complete and correct. NPM will cancel the release with specific errors if it finds a problem. Requirements may change in future NPM releases but include things like a `"repository"` field with `"url"` property matching the format `"git+https://github.com/user/repo"`. | ||
|
|
||
| If `provenance: true` is in your YML inputs and any condition isn't met, the release will cancel with an error. |
There was a problem hiding this comment.
let's be more specific. when will this fail exactly? I assume when you're trying to publish the package right?
There was a problem hiding this comment.
👍 I've reworked this section in the "Rework readme advice" commit
README.md
Outdated
|
|
||
| If `provenance: true` is in your YML inputs and any condition isn't met, the release will cancel with an error. | ||
|
|
||
| If you run a release without `provenance: true` when a previous release had provenance, the provenance banner on your package's NPM landing page will be removed but the banner will remain on the subpage for the previous release. |
There was a problem hiding this comment.
this is certainly good to know, but is it really something that we need to document or shall we just redirect the user to the official docs? I mean we are not the owners of this information, and it may change
There was a problem hiding this comment.
👍 I've reworked this section in the "Rework readme advice" commit
src/utils/provenance.js
Outdated
| * Split out as its own export so it can be easily mocked in tests. | ||
| */ | ||
| async function getNpmVersion() { | ||
| return await execWithOutput('npm', ['-v']) |
There was a problem hiding this comment.
nit: not necessary to await the last async function invoked by an async function, it can simply be returned
src/utils/execWithOutput.js
Outdated
| const options = { | ||
| silent: false, | ||
| } | ||
| options.silent = false |
There was a problem hiding this comment.
minor: can we implement this differently so if for whatever reason the caller specifies that silent should be true, we don't override it?
test/release.test.js
Outdated
| @@ -200,6 +216,73 @@ tap.test('Should publish to npm without optic', async () => { | |||
| }) | |||
| }) | |||
|
|
|||
| tap.only( | |||
There was a problem hiding this comment.
remove .only, here and in the other tests
| semver: ${{ github.event.inputs.semver }} | ||
| npm-tag: ${{ github.event.inputs.tag }} | ||
| # add this to activate the action's provenance feature | ||
| provenance: true |
There was a problem hiding this comment.
wondering if there's a way to highlight certain lines using github code highlighting
There was a problem hiding this comment.
Seems not, sadly:
- There's an open feature request for it
- There's a hacky workaround but it clashes with syntax highlighting and strips styling, only supports hard-to-see bolding of text in non-syntax-highlighted code blocks.
README.md
Outdated
| NPM has some internal [requirements](https://docs.npmjs.com/generating-provenance-statements#prerequisites) for generating provenance. Unfortunately as of May 2023, not all are documented by NPM; some key requirements are: | ||
|
|
||
| - `id-token: write` must be added to your `release.yml`'s **permissions** | ||
| - NPM must on version 9.5.0 or greater (this will be met if our recommended `runs-on: ubuntu-latest` is used) |
There was a problem hiding this comment.
This is the only main outstanding thing I need to understand and we need to decide if we want to do something about.
The action at the moment uses whatever version of Node is installed in the runner, which you already figured out should be good enough when using the built-in runners (ubuntu specifically, but let's assume this is true for the others too).
Yet there is a way for us to force a specific version of Node by using the setup-node action from within our action. This would allow us to make sure we install a recent node version, meaning that we would know provenance would work (thereby allowing us to remove much of the npm-version-specific logic you have written), yet I'm not sure if the action forcing a certain node version is a sensible decision for this action. We just never had this problem before, but maybe it's just about the right time we think about it.
There was a problem hiding this comment.
I'd say no because it adds maintenance burden on our side (we'd need to choose when to update now and in future) and seems to go against least-surprise: right now, there's a very clear division of responsibility, where the user-side yml sets up the environment and runner, then our script runs inside their environment.
I'd thought about this, there's a few ways we could do it if we wanted to, the least obtrusive I could think of was adding something like "engines": { "npm": ">=9.5.0" } to package.json, which is better than specifying a node version because it allows users to be more up to date (e.g. they can jump to Node 20 before we do), and it doesn't impose on node version when all we have any reason to care about is NPM version.
But even that felt a bit heavy-handed for an opt-in feature. If a user wants an old NPM version (e.g. IIRC some projects stick to 8.5 to avoid side effects of changes to dependency resolution), and they don't care about provenance, there's really nothing wrong with that and no reason to stand in their way. Just tell them why it didn't work if they do try out provenance.
|
@simoneb I've responded to the questions and pushed a couple of typo fixes I saw. If you're happy for it to be merged, looks like you need to do the final squash-merge:
|
|
Yep thanks I agree with your conclusions, thanks! |
closes #285
Adds provenance support, with: