From 5b939287cc26f53002b5c9c31e7fc0275a19bb85 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Wed, 19 Feb 2025 12:31:09 +0000
Subject: [PATCH] Attest npm package provenance (#4724)

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---
 .github/workflows/release-make.yml |  3 +++
 .github/workflows/release-npm.yml  | 23 ++++++++++-------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/release-make.yml b/.github/workflows/release-make.yml
index 421115e68..5c046abf9 100644
--- a/.github/workflows/release-make.yml
+++ b/.github/workflows/release-make.yml
@@ -279,6 +279,9 @@ jobs:
         needs: release
         if: inputs.npm
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop
+        permissions:
+            contents: read
+            id-token: write
         secrets:
             NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index 4d7b89283..1aadd7f34 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -8,11 +8,14 @@ on:
             id:
                 description: "The npm package@version string we published"
                 value: ${{ jobs.npm.outputs.id }}
-permissions: {} # No permissions required
+permissions: {}
 jobs:
     npm:
         name: Publish to npm
         runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            id-token: write
         outputs:
             id: ${{ steps.npm-publish.outputs.id }}
         steps:
@@ -32,21 +35,15 @@ jobs:
               run: "yarn install --frozen-lockfile"
 
             - name: 🚀 Publish to npm
-              id: npm-publish
-              uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1
-              with:
-                  token: ${{ secrets.NPM_TOKEN }}
-                  access: public
-                  tag: next
-                  ignore-scripts: false
-
-            - name: Check npm package was published
-              if: steps.npm-publish.outputs.id == ''
-              run: exit 1
+              run: npm publish --provenance --access public --tag next
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
             - name: 🎖️ Add `latest` dist-tag to final releases
               if: steps.npm-publish.outputs.id && !contains(steps.npm-publish.outputs.id, '-rc.')
-              run: npm dist-tag add "$release" latest
+              run: |
+                  release=$(jq -r '"\(.name)@\(.version)"' package.json)
+                  npm dist-tag add "$release" latest
               env:
                   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
                   release: ${{ steps.npm-publish.outputs.id }}