Skip to content

Commit

Permalink
chore: Publish to NPM with provenance (#91)
Browse files Browse the repository at this point in the history
The release process in this repository is already automated via
GitHub Actions, which is a great first step toward creating trust in the
supply chain. Recently, NPM has started to support publishing with the
`--provenance` flag. This flag creates a link between the GitHub Actions
run that created the release and the final artifact on NPM. This linkage
further ensures that package installs can be traced back to a specific
code revision.

For more information on publishing with provenance, please refer to:
https://github.blog/2023-04-19-introducing-npm-package-provenance/
  • Loading branch information
meyfa authored Sep 16, 2023
1 parent 5c0519b commit 53c620d
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout Code
uses: actions/checkout@v3
Expand All @@ -19,7 +22,7 @@ jobs:
env:
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
- run: npm run build
- run: npm publish --access public
- run: npm publish --access public --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down

0 comments on commit 53c620d

Please sign in to comment.