From 5eb9626d253fffc03ddd7b9d6f5f58b5b0ae961d Mon Sep 17 00:00:00 2001
From: Kelly Mears <developers@tinypixel.dev>
Date: Fri, 12 May 2023 12:32:23 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20security:=20support=20npm=20pack?=
 =?UTF-8?q?age=20provenance?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/release-nightly.yml         | 25 ++++++++++---------
 .../sources/command/lint.command.ts           |  8 ++++--
 .../sources/command/release.command.ts        |  7 +++++-
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
index d9b4a2d983..7df97f88bc 100644
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -8,24 +8,25 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: Setup
-        uses: actions/setup-node@v3
+      - uses: actions/setup-node@v3
         with:
-          node-version: 18.12.1
+          node-version: 18.x
           cache: yarn
 
-      - name: yarn
-        run: yarn
+      - run: npm install -g npm
+
+      - run: yarn
 
-      - name: set npmAuthToken
-        run: |
-          yarn config set npmAuthToken ${{ secrets.NODE_AUTH_TOKEN }}
+      - run: yarn config set npmAuthToken ${{ secrets.NODE_AUTH_TOKEN }}
 
-      - name: Release nightly
-        run: yarn @bud release --tag nightly --registry https://registry.npmjs.org
+      - run: yarn @bud release --tag nightly --registry https://registry.npmjs.org
diff --git a/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts b/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts
index 9e91a776db..711928c386 100644
--- a/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts
+++ b/sources/@repo/yarn-plugin-bud/sources/command/lint.command.ts
@@ -14,7 +14,11 @@ export class Lint extends Command {
   /**
    * Command paths
    */
-  public static paths: CommandClass['paths'] = [[`@bud`, `lint`], [`@bud`, `eslint`], [`lint`]]
+  public static paths: CommandClass['paths'] = [
+    [`@bud`, `lint`],
+    [`@bud`, `eslint`],
+    [`lint`],
+  ]
 
   /**
    * Command usage
@@ -40,7 +44,7 @@ export class Lint extends Command {
         `--config`,
         `./config/eslint.config.cjs`,
         `--no-error-on-unmatched-pattern`,
-        ...this.passthrough ?? [],
+        ...(this.passthrough ?? []),
       ],
       {stderr: this.context.stderr},
     ])
diff --git a/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts b/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts
index b76102eb70..7e9b06c5c7 100644
--- a/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts
+++ b/sources/@repo/yarn-plugin-bud/sources/command/release.command.ts
@@ -91,10 +91,15 @@ export class Release extends Command {
         this.version = utcSemver
       }
     }
+
     await this.$([`yarn`, [`@bud`, `version`, this.version]])
 
     await this.$(
-      `yarn workspaces foreach --no-private npm publish --access public --tag ${this.tag}`,
+      `yarn workspaces foreach --no-private npm publish --access public --tag ${
+        this.tag
+      } ${
+        this.registry !== `http://localhost:4873` ? `--provenance` : ``
+      }`,
     )
 
     await this.$([`yarn`, [`@bud`, `version`, `0.0.0`]])