Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support NPM Package Provenance #88

Closed
sachaw opened this issue Apr 26, 2023 · 10 comments · Fixed by #92 or #93
Closed

Support NPM Package Provenance #88

sachaw opened this issue Apr 26, 2023 · 10 comments · Fixed by #92 or #93
Labels
enhancement New feature or request

Comments

@sachaw
Copy link

sachaw commented Apr 26, 2023

Hi, could we please have an option that sets the --provenance flag as outlined in:
https://github.blog/2023-04-19-introducing-npm-package-provenance/

Thanks.

@mcous
Copy link
Member

mcous commented Apr 26, 2023

I'll look into adding official support via an option, but in the mean time, provenance should already work! As noted in the npm documentation, since this action calls npm publish directly, you can configure the provenance option a few different ways:

  1. An environment variable
  2. the publishConfig option of package.json
  3. a project-local .npmrc file for the project.

All three should be compatible with this action, and I recommend option 2 - the package.json field - for portability.

Manifest:

{
  "name": "my-cool-package",
  "version": "1.2.3",
  "publishConfig": {
    "provenance": true
  }
}

Workflow:

name: Publish package to npm with provenance
on:
 push:
   branches: [main]
jobs:
 build:
   runs-on: ubuntu-latest
   permissions:
     contents: read
     id-token: write
   steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
         node-version: '18'
     - run: npm install -g npm@latest
     - run: npm ci
     - uses: JS-DevTools/npm-publish@v2
       with:
         token: ${{ secrets.NPM_TOKEN }}

@mcous mcous added the enhancement New feature or request label Apr 26, 2023
@sachaw
Copy link
Author

sachaw commented Apr 27, 2023

Excellent, Big thanks for the solutions

@sachaw
Copy link
Author

sachaw commented Apr 27, 2023

Update, option 2 isn't working for me:

Automatic provenance generation not supported outside of GitHub Actions

For reference, here's the repo: https://github.com/meshtastic/js

@mcous
Copy link
Member

mcous commented Apr 27, 2023

It looks like your CI workflow does not do three things that are present in the example workflow from the npm docs.

  1. Configure the id-token: write permission
  2. Use actions/setup-node to put a specific version of Node in the PATH
  3. Upgrade to the latest version of npm

I haven't tried this myself, but it's my understanding that (1) is required. (2) and (3) may be as well.

I'd recommend giving the npm docs another read through to check your specific setup. Otherwise, I'll be able to take a closer look at this in a few days, since I'll be wanting publish provenance configured here, too

@sachaw
Copy link
Author

sachaw commented Apr 27, 2023

The setup-node is required as npm publish is called.
Is there any scope to add a flag that lets your choose your command prefix/package manager?
i.e.:

- uses: JS-DevTools/npm-publish@v2
       with:
         token: ${{ secrets.NPM_TOKEN }}
         package-manager: pnpm

as most of the package manager alternatives are npm compatible anyways, it should just be a matter of changing the command.

@mcous
Copy link
Member

mcous commented Apr 28, 2023

The setup-node is required as npm publish is called.

Cool, I appreciate you being the guinea pig on this one!

Is there any scope to add a flag that lets your choose your command prefix/package manager?

I'm not sure, and I'm a little hesitant to add that feature. It wouldn't necessarily be trivial, since we read and parse the output of npm, so a different package manager could require bespoke output-parsing logic.

With pnpm in particular, I believe pnpm publish --recursive can replace this action entirely, since it does similar "publish versions that do net yet exist in the registry" logic. Where possible, I think relying on your existing toolchain to publish rather than pulling in another tool like this action is generally preferable

@sachaw
Copy link
Author

sachaw commented Apr 28, 2023

Great, thanks for the feedback

@mcous
Copy link
Member

mcous commented May 1, 2023

This feature has been merged, and will be released with version 2.1.0 tomorrow morning, eastern US time

@shyim
Copy link

shyim commented May 15, 2023

I tried this out and it does not seems to work. Did I missed something? https://github.com/shopware/admin-extension-sdk/actions/runs/4977275682/jobs/8906158681#step:8:5

@mcous
Copy link
Member

mcous commented May 15, 2023

@shyim I haven't sat down at my computer and verified this yet, but my best guess is that you're not using a new enough version of the npm CLI. Your action configuration uses Node v16 and does not upgrade npm to a later version.

Node v16 currently ships with npm version 8.x.x, but provenance requires at least version 9.5.0. Node v18 and v20 both ship with npm >=9.5, or you could add an npm install -g npm@latest step (or use an explicit version, if you prefer) to your workflow

This package publishes itself to npm with provenance (using publishConfig in package.json) so you can reference its workflow file as an example


Edit: I have confirmed that npm does not complain about unknown command line arguments, so if you attempt to use --provenance with an old version of npm, it will happily publish your package without complaint. I'll update the docs with this note

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
3 participants