Skip to content

Commit

Permalink
ci: add provenance to published packages (#1145)
Browse files Browse the repository at this point in the history
This commit adds provenance for all published packages. See the NPM documentation [0].

Provenance will allow people to verify that the packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.
Additionally, the repository link was added to the `package.json` for this to work.

[0]: https://docs.npmjs.com/generating-provenance-statements
  • Loading branch information
saibotk authored Mar 22, 2024
1 parent f736825 commit 957ba2f
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 6 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/release-insiders.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:

permissions:
contents: read
id-token: write

env:
CI: true
Expand Down Expand Up @@ -54,16 +55,16 @@ jobs:
run: npm version 0.0.0-insiders.${{ env.SHA_SHORT }} --force --no-git-tag-version --prefix vue

- name: Publish `heroicons`
run: npm publish --tag insiders
run: npm publish --provenance --tag insiders
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish `@heroicons/react`
run: npm publish ./react --tag insiders
run: npm publish ./react --provenance --tag insiders
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish `@heroicons/vue`
run: npm publish ./vue --tag insiders
run: npm publish ./vue --provenance --tag insiders
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
7 changes: 4 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:

permissions:
contents: read
id-token: write

env:
CI: true
Expand Down Expand Up @@ -45,16 +46,16 @@ jobs:
echo "RELEASE_CHANNEL=$(npm run release-channel --silent)" >> $GITHUB_ENV
- name: Publish `heroicons`
run: npm publish --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish `@heroicons/react`
run: npm publish ./react --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish ./react --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish `@heroicons/vue`
run: npm publish ./vue --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish ./vue --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"name": "heroicons",
"version": "2.1.1",
"license": "MIT",
"repository": "https://github.com/tailwindlabs/heroicons.git",
"files": [
"16/",
"20/",
Expand Down

0 comments on commit 957ba2f

Please sign in to comment.