-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build: modfying publish action to use npm cli to include provenance i…
…n npm publish (#319) **Requirements** - [ ] I have added test coverage for new or changed functionality - [ ] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [ ] I have validated my changes against all supported platform versions **Related issues** **Describe the solution you've provided** Yarn publish doesn't currently support NPM's publish package with provenance functionality. As a workaround until this is supported, we'll pack the workspace with yarn in order to guarantee we get the same package as before, and then use the npm cli to do the final publish with provenance. This also involves passing the workspace path as input parameters to the publish actions/script as npm's workspace functionality doesn't work exactly the same as yarns. While npm's generated provenance isn't the most robust provenance attestation, it results in a verified checkmark on the npm package page, which brings the provenance closest to the consumer and makes it most useful. **Describe alternatives you've considered** Ideally we'd want yarn to support this natively, but tracking the yarn repo issues for the past couple months has shown no movement here. **Additional context** Add any other context about the pull request here.
- Loading branch information
Showing
6 changed files
with
61 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
name: Install npm version | ||
# Used to specify a version of npm that supports --provenance (for node installs < 18.X) | ||
description: Install the latest version of the npm CLI utility. | ||
inputs: | ||
npm_version: | ||
description: 'The version of npm to install' | ||
required: false | ||
default: latest | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
- name: 'Install specified npm version' | ||
shell: bash | ||
run: | | ||
npm install -g npm@${{ inputs.npm_version }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,13 @@ | ||
#!/usr/bin/env bash | ||
yarn workspace $WORKSPACE pack | ||
if $LD_RELEASE_IS_DRYRUN ; then | ||
# Dry run just pack the workspace. | ||
echo "Doing a dry run of publishing." | ||
yarn workspace $WORKSPACE pack | ||
else | ||
if $LD_RELEASE_IS_PRERELEASE ; then | ||
echo "Publishing with prerelease tag." | ||
yarn workspace $WORKSPACE npm publish --tag prerelease || { echo "npm publish failed" >&2; exit 1; } | ||
npm publish --tag prerelease --provenance --access public "./$WORKSPACE_PATH/package.tgz" || { echo "npm publish failed" >&2; exit 1; } | ||
else | ||
yarn workspace $WORKSPACE npm publish || { echo "npm publish failed" >&2; exit 1; } | ||
npm publish --provenance --access public "./$WORKSPACE_PATH/package.tgz" || { echo "npm publish failed" >&2; exit 1; } | ||
fi | ||
fi |