Skip to content

Commit

Permalink
ci: add provenance to insider packages (#336)
Browse files Browse the repository at this point in the history
This commit adds provenance for insider packages. See the NPM documentation [0].

Provenance will allow people to verify that the packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.

[0]: https://docs.npmjs.com/generating-provenance-statements
  • Loading branch information
saibotk authored Mar 22, 2024
1 parent 8d133ec commit e1d4dc7
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion .github/workflows/release-insiders.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
push:
branches: [master]

permissions:
contents: read
id-token: write

jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -49,7 +53,7 @@ jobs:
run: npm version 0.0.0-insiders.${{ steps.vars.outputs.sha_short }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag insiders
run: npm publish --provenance --tag insiders
env:
CI: true
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 comments on commit e1d4dc7

Please sign in to comment.