From 131053164ec101bd34d0460f305504609ec2031f Mon Sep 17 00:00:00 2001
From: Jacob Bandes-Storch <jacob@foxglove.dev>
Date: Fri, 5 Apr 2024 20:56:29 -0700
Subject: [PATCH] Add provenance attestation when publishing to NPM

---
 .github/workflows/ci.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cf2c3eb..b531337 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,10 @@ jobs:
     name: push
     runs-on: ubuntu-latest
 
+    permissions:
+      # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
+      id-token: write
+
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
@@ -24,8 +28,15 @@ jobs:
       - run: yarn run lint:ci
       - run: yarn run test
 
+      - run: yarn pack
+      - name: Publish to NPM (dry run)
+        # `yarn publish` does not support --provenance
+        run: npm publish foxglove-rosmsg-*.tgz --provenance --access public --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: yarn publish --access public
+        # `yarn publish` does not support --provenance
+        run: npm publish foxglove-rosmsg-*.tgz --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}