ci: add provenance to insider packages (#154)

This commit adds provenance for insider packages. See the NPM documentation [0]. Provenance will allow people to verify that the packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security. For this to work, the `id-token` permission was added only where necessary. [0]: https://docs.npmjs.com/generating-provenance-statements
tailwindlabs · Mar 22, 2024 · c9d9da3 · c9d9da3
1 parent e6bcd1f
commit c9d9da3
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
@@ -4,6 +4,10 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -40,11 +44,11 @@ jobs:
         id: vars
         run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
 
-      - name: "Version based on commit: 0.0.0-insiders.${{ steps.vars.outputs.sha_short }}"
+      - name: 'Version based on commit: 0.0.0-insiders.${{ steps.vars.outputs.sha_short }}'
         run: npm version 0.0.0-insiders.${{ steps.vars.outputs.sha_short }} --force --no-git-tag-version
 
       - name: Publish
-        run: npm publish --tag insiders
+        run: npm publish --provenance --tag insiders
         env:
           CI: true
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}