🔐 security: support npm package provenance (#2259)

Support npm package provenance See: - #2230 - https://docs.npmjs.com/generating-provenance-statements ## Type of change **NONE: internal change**
roots · May 12, 2023 · 045b31f · 045b31f
1 parent 86c8c0f
commit 045b31f
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 15 deletions.
diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -8,24 +8,25 @@ on:
 jobs:
  release:
  runs-on: ubuntu-latest
+
+ permissions:
+ contents: read
+ id-token: write
+
  steps:
- - name: Checkout
- uses: actions/checkout@v3
+ - uses: actions/checkout@v3
  with:
  fetch-depth: 0
 
- - name: Setup
- uses: actions/setup-node@v3
+ - uses: actions/setup-node@v3
  with:
- node-version: 18.12.1
+ node-version: 18.x
  cache: yarn
 
- - name: yarn
- run: yarn
+ - run: npm install -g npm
+
+ - run: yarn
 
- - name: set npmAuthToken
- run: |
- yarn config set npmAuthToken ${{ secrets.NODE_AUTH_TOKEN }}
+ - run: yarn config set npmAuthToken ${{ secrets.NODE_AUTH_TOKEN }}
 
- - name: Release nightly
- run: yarn @bud release --tag nightly --registry https://registry.npmjs.org
+ - run: yarn @bud release --tag nightly --registry https://registry.npmjs.org
diff --git a/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts b/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts
@@ -14,7 +14,11 @@ export class Lint extends Command {
  /**
  * Command paths
  */
- public static paths: CommandClass['paths'] = [[`@bud`, `lint`], [`@bud`, `eslint`], [`lint`]]
+ public static paths: CommandClass['paths'] = [
+ [`@bud`, `lint`],
+ [`@bud`, `eslint`],
+ [`lint`],
+ ]
 
  /**
  * Command usage
@@ -40,7 +44,7 @@ export class Lint extends Command {
  `--config`,
  `./config/eslint.config.cjs`,
  `--no-error-on-unmatched-pattern`,
- ...this.passthrough ?? [],
+ ...(this.passthrough ?? []),
  ],
  {stderr: this.context.stderr},
  ])

diff --git a/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts b/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts
@@ -91,10 +91,15 @@ export class Release extends Command {
  this.version = utcSemver
  }
  }
+
  await this.$([`yarn`, [`@bud`, `version`, this.version]])
 
  await this.$(
- `yarn workspaces foreach --no-private npm publish --access public --tag ${this.tag}`,
+ `yarn workspaces foreach --no-private npm publish --access public --tag ${
+ this.tag
+ } ${
+ this.registry !== `http://localhost:4873` ? `--provenance` : ``
+ }`,
  )
 
  await this.$([`yarn`, [`@bud`, `version`, `0.0.0`]])