Attest npm package provenance (#4724)

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2025-08-09 10:22:46 +03:00 · 2025-02-19 12:31:09 +00:00
parent 2d381ade22
commit 5b939287cc
2 changed files with 13 additions and 13 deletions
--- a/.github/workflows/release-make.yml
+++ b/.github/workflows/release-make.yml
@@ -279,6 +279,9 @@ jobs:
        needs: release
        if: inputs.npm
        uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop
+        permissions:
+            contents: read
+            id-token: write
        secrets:
            NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -8,11 +8,14 @@ on:
            id:
                description: "The npm package@version string we published"
                value: ${{ jobs.npm.outputs.id }}
-permissions: {} # No permissions required
+permissions: {}
 jobs:
    npm:
        name: Publish to npm
        runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            id-token: write
        outputs:
            id: ${{ steps.npm-publish.outputs.id }}
        steps:
@@ -32,21 +35,15 @@ jobs:
              run: "yarn install --frozen-lockfile"

            - name: 🚀 Publish to npm
-              id: npm-publish
-              uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1
-              with:
-                  token: ${{ secrets.NPM_TOKEN }}
-                  access: public
-                  tag: next
-                  ignore-scripts: false
-
-            - name: Check npm package was published
-              if: steps.npm-publish.outputs.id == ''
-              run: exit 1
+              run: npm publish --provenance --access public --tag next
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

            - name: 🎖️ Add `latest` dist-tag to final releases
              if: steps.npm-publish.outputs.id && !contains(steps.npm-publish.outputs.id, '-rc.')
-              run: npm dist-tag add "$release" latest
+              run: |
+                  release=$(jq -r '"\(.name)@\(.version)"' package.json)
+                  npm dist-tag add "$release" latest
              env:
                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
                  release: ${{ steps.npm-publish.outputs.id }}