From cb8bb2beb215a94a29f19b0d66ab05d32b390230 Mon Sep 17 00:00:00 2001 From: Fabian Meyer <3982806+meyfa@users.noreply.github.com> Date: Wed, 8 Nov 2023 15:25:03 +0100 Subject: [PATCH] chore(ci): Publish to NPM with provenance (#5835) The release process in this repository is already automated via GitHub Actions, which is a great first step toward creating trust in the supply chain. Recently, NPM has started to support publishing with the `--provenance` flag. This flag creates a link between the GitHub Actions run that created the release and the final artifact on NPM. This linkage further ensures that package installs can be traced back to a specific code revision. For more information on publishing with provenance, please refer to: https://github.blog/2023-04-19-introducing-npm-package-provenance/ Co-authored-by: Jay Co-authored-by: Dmitriy Mozgovoy --- .github/workflows/publish.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 394ae26..9a48542 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,6 +11,9 @@ jobs: publish: if: github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && github.event.pull_request.head.label == 'axios:release') runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: "Release PR info" if: github.event_name != 'workflow_dispatch' @@ -22,7 +25,7 @@ jobs: git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - uses: actions/setup-node@v3 with: - node-version: 16 + node-version: 18 registry-url: https://registry.npmjs.org/ - run: npm ci - name: get-npm-version @@ -50,7 +53,7 @@ jobs: ${{ steps.extract-release-notes.outputs.release_notes }} ############# NPM RELEASE ############## - name: Publish the release to NPM - run: npm publish + run: npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} ###### NOTIFY & TAG published PRs ######