Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add support for yarn npm publish --provenance and publishConfig.provenance option #5430

Open
2 tasks
wojtekmaj opened this issue May 8, 2023 · 3 comments
Open
2 tasks

[Feature] Add support for yarn npm publish --provenance and publishConfig.provenance option #5430

wojtekmaj opened this issue May 8, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@wojtekmaj
Copy link
Contributor

wojtekmaj commented May 8, 2023
edited
Loading

  • I'd be willing to implement this feature (contributing guide)
  • This feature is important to have in this repository; a contrib plugin wouldn't do

Describe the user story

npm has recently announced npm provenance public beta. At the moment, the command yarn npm publish --provenance produces and error, while publishConfig.provenance is nowhere to be found in the docs, meaning - it may or may not work, who knows?

Describe the solution you'd like

Support and document --provenance flag in yarn npm publish command
Support and document publishConfig.provenance option in package.json

Describe the drawbacks of your solution

None that I know of

Describe alternatives you've considered

npm publish --provenance, but that doesn't allow me to use custom hooks I've implemented using Yarn plugins.
@wojtekmaj wojtekmaj added the enhancement New feature or request label May 8, 2023
This was referenced May 8, 2023
Closed
Closed
@rsoberano-ld
Copy link

Hi, did this feature get any traction? We're interested in using yarn for publishing provenance as well.

For context, we currently use yarn npm publish to package and publish our packages. However, this doesn't output an artifact locally or the shasum of the artifact, so we have no way of generating build provenance from the artifact that yarn packages and publishes. It'd be ideal if yarn could support the --provenance parameter, but even outputting the shasum of the generated yarn package would be helpful to give us options here.

@yannbf yannbf mentioned this issue Oct 3, 2023
Closed
8 tasks
@wojtekmaj
Copy link
Contributor Author

wojtekmaj commented Oct 18, 2023
edited
Loading

For impatient ones: you can pack your package using Yarn, but publish it using npm. This way you can still e.g. use Yarn plugins. Only at the very last moment you pass the job on to npm, to publish prepared package.tgz file(s).

Here's how I did it:
wojtekmaj/react-async-button@5856920

nekowinston added a commit to catppuccin/vscode that referenced this issue Jan 4, 2024
@nekowinston
ci: use yarn pack, then npm to publish with provenance
8b7c906 
refs: yarnpkg/berry#5430
@MaikoTan
Copy link

I quickly checked the code that publishes packages. It looks like that yarn publishes packages with its own instead of using npm underhood, so it is required to implement NPM's code in yarn's as well?
Or would it be better to call npm publish instead while the user adds a --provenance option?

I am thrilled to see this feature implemented in yarn.

@jtbandes jtbandes mentioned this issue Apr 6, 2024
Merged
jtbandes added a commit to foxglove/three-text that referenced this issue Apr 6, 2024
@jtbandes
Use npm instead of yarn to publish with provenance (#279)
e1c62ec 
### Changelog
None

### Description

Follow-up from #278. It appears `yarn npm publish` does not support
`--provenance` (yarnpkg/berry#5430). Per
yarnpkg/berry#5430 (comment)
this can be worked around by using `yarn pack` with `npm publish`.
@snosenzo snosenzo mentioned this issue Apr 8, 2024
Merged
@saisatishkarra saisatishkarra mentioned this issue May 17, 2024
Merged
@favna favna mentioned this issue Jun 3, 2024
Merged
HigherOrderLogic referenced this issue in HigherOrderLogic/nuxt-param-validators Sep 13, 2024
@HigherOrderLogic
ci: provenance publish
7a2bf57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wojtekmaj @MaikoTan @rsoberano-ld