Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] NPM provenance #2770

Closed
jonluca opened this issue Apr 20, 2023 · 6 comments
Closed

[Feature Request] NPM provenance #2770

jonluca opened this issue Apr 20, 2023 · 6 comments

Comments

@jonluca
Copy link

jonluca commented Apr 20, 2023

New feature motivation

You can generate provenance statements for the packages you publish. This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.

New feature description

https://docs.npmjs.com/generating-provenance-statements

NPM has provenance statements in Github Actions - it would be great if we could add a flag that adds it in semantic-release

New feature implementation

No response
@travi
Copy link
Member

travi commented Apr 21, 2023

This is already supported. Please see https://github.com/semantic-release/npm#npm-provenance

Would additional details or highlighting this in another part of our docs make this more clear?

@travi
Copy link
Member

travi commented Apr 21, 2023

i've added another mention of using provenance to our docs here, so i'm going to close this for now. feel free to still respond if you think that other mentions elsewhere would have been helpful when you were looking for this information.

@travi travi closed this as completed Apr 21, 2023
@jonluca
Copy link
Author

jonluca commented Apr 21, 2023

Awesome, nope I should've RTFM. Thanks!

@travi
Copy link
Member

travi commented Apr 21, 2023

No worries. Since its new, still trying to figure out the best way to make it clear that we're good to go. Excited to see that you're already opting in to using provenance 🎉

@jonluca
Copy link
Author

jonluca commented Apr 21, 2023
edited

One more minor thing that is definitely due to me blindly copy + pasting, but if you copy + paste the default ci from the npm docs you link to, it causes semantic release to fail with EGITNOPERMISSION.

The docs have

name: Publish Package to npmjs
on:
 release:
   types: [created]
jobs:
 build:
   runs-on: ubuntu-latest
   permissions:
     contents: read
     id-token: write
   steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
         node-version: '18.x'
         registry-url: 'https://registry.npmjs.org'
     - run: npm install -g npm
     - run: npm ci
     - run: npm publish --provenance --access public
       env:
         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

as the default, but it needs to be:

    permissions:
      contents: write
      id-token: write

for it to work (due to pushing to the master branch)

@travi
Copy link
Member

travi commented Apr 28, 2023

do you have a suggestion to improve our reference? we don't have direct influence over the npm docs, but there is a link at the bottom of their docs to contribute to them. have you suggested a change there?

since npm provenance requires a project be an npm package and published from github actions, the details do end up being split between the documentation for each of the plugins at bit. the github actions recipe has the consolidated permissions defined within it. interested if there are suggestions to improve to make the details easier to find.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@travi @jonluca