fix: add provenance

sanity-io · Apr 2, 2024 · 0b93a50 · 0b93a50
1 parent 336afc1
commit 0b93a50
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 12 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @sanity-io/ecosystem
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,5 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>sanity-io/renovate-config"],
+  "ignorePresets": [":ignoreModulesAndTests", "github>sanity-io/renovate-config:group-non-major"]
+}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,43 +8,65 @@ on:
       - beta
       - alpha
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   test:
     runs-on: ${{ matrix.platform }}
     name: Node.js ${{ matrix.node-version }} / ${{ matrix.platform }}
     strategy:
       fail-fast: false
       matrix:
-        platform: [ubuntu-latest, macos-latest]
+        platform: [ubuntu-latest]
         node-version: [lts/*, current]
+        include:
+          - platform: macos-latest
+            node-version: lts/*
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
       - uses: actions/setup-node@v4
         with:
+          cache: pnpm
           node-version: ${{ matrix.node-version }}
-      - run: npm i pnpm@latest -g
+      - run: corepack enable && pnpm --version
       - run: pnpm install
       - run: pnpm build
       - run: pnpm lint
       - run: pnpm test
 
   release:
+    permissions:
+      id-token: write # to enable use of OIDC for npm provenance
     name: 'Semantic release'
     needs: test
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.ECOSPARK_APP_ID }}
+          private-key: ${{ secrets.ECOSPARK_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
           # Need to fetch entire commit history to
           # analyze every commit since last release
           fetch-depth: 0
+          # Uses generated token to allow pushing commits back
+          token: ${{ steps.app-token.outputs.token }}
+          # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
+          persist-credentials: false
+      - uses: pnpm/action-setup@v3
       - uses: actions/setup-node@v4
         with:
+          cache: pnpm
           node-version: lts/*
-      - run: npm i pnpm@latest -g
+      - run: corepack enable && pnpm --version
       - run: pnpm install
       # Branches that will release new versions are defined in .releaserc.json
       - run: pnpm exec semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
diff --git a/renovate.json b/renovate.json