-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support NPM Package Provenance #88
Comments
I'll look into adding official support via an option, but in the mean time,
All three should be compatible with this action, and I recommend option 2 - the Manifest: {
"name": "my-cool-package",
"version": "1.2.3",
"publishConfig": {
"provenance": true
}
} Workflow: name: Publish package to npm with provenance
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18'
- run: npm install -g npm@latest
- run: npm ci
- uses: JS-DevTools/npm-publish@v2
with:
token: ${{ secrets.NPM_TOKEN }} |
Excellent, Big thanks for the solutions |
Update, option 2 isn't working for me:
For reference, here's the repo: https://github.com/meshtastic/js |
It looks like your CI workflow does not do three things that are present in the example workflow from the npm docs.
I haven't tried this myself, but it's my understanding that (1) is required. (2) and (3) may be as well. I'd recommend giving the npm docs another read through to check your specific setup. Otherwise, I'll be able to take a closer look at this in a few days, since I'll be wanting publish provenance configured here, too |
The - uses: JS-DevTools/npm-publish@v2
with:
token: ${{ secrets.NPM_TOKEN }}
package-manager: pnpm as most of the package manager alternatives are npm compatible anyways, it should just be a matter of changing the command. |
Cool, I appreciate you being the guinea pig on this one!
I'm not sure, and I'm a little hesitant to add that feature. It wouldn't necessarily be trivial, since we read and parse the output of With |
Great, thanks for the feedback |
This feature has been merged, and will be released with version 2.1.0 tomorrow morning, eastern US time |
I tried this out and it does not seems to work. Did I missed something? https://github.com/shopware/admin-extension-sdk/actions/runs/4977275682/jobs/8906158681#step:8:5 |
@shyim I haven't sat down at my computer and verified this yet, but my best guess is that you're not using a new enough version of the npm CLI. Your action configuration uses Node v16 and does not upgrade npm to a later version. Node v16 currently ships with npm version 8.x.x, but provenance requires at least version 9.5.0. Node v18 and v20 both ship with npm >=9.5, or you could add an This package publishes itself to npm with provenance (using publishConfig in package.json) so you can reference its workflow file as an example Edit: I have confirmed that |
Hi, could we please have an option that sets the
--provenance
flag as outlined in:https://github.blog/2023-04-19-introducing-npm-package-provenance/
Thanks.
The text was updated successfully, but these errors were encountered: