From 0054eb39992434f1bcf6418f50e347f3f0d5f784 Mon Sep 17 00:00:00 2001 From: Lachlan Collins <1667261+lachlancollins@users.noreply.github.com> Date: Thu, 11 Jul 2024 14:26:12 +1000 Subject: [PATCH] ci: enable npm provenance (#5654) --- .github/workflows/ci.yml | 8 ++++++-- .github/workflows/pr.yml | 5 ++++- .npmrc | 1 + .nvmrc | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 603d3d2591..b8ea2bf5d1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: description: override release tag required: false push: - branches: ['main', 'alpha', 'beta', 'rc'] + branches: [main, alpha, beta, rc] concurrency: group: ${{ github.workflow }}-${{ github.event.number || github.ref }} @@ -16,6 +16,10 @@ concurrency: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} +permissions: + contents: write + id-token: write + jobs: test-and-publish: name: Test & Publish @@ -42,6 +46,6 @@ jobs: npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}" pnpm run cipublish env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} TAG: ${{ inputs.tag }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 7a60ca8a58..7af298149a 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -14,6 +14,9 @@ concurrency: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} +permissions: + contents: read + jobs: test: name: Test @@ -30,7 +33,7 @@ jobs: - name: Get base and head commits for `nx affected` uses: nrwl/nx-set-shas@v4 with: - main-branch-name: 'main' + main-branch-name: main - name: Run Checks run: pnpm run test:pr --parallel=3 - name: Stop Nx Agents diff --git a/.npmrc b/.npmrc index 6c2b9be4c4..84aee8d998 100644 --- a/.npmrc +++ b/.npmrc @@ -1,2 +1,3 @@ link-workspace-packages=true prefer-workspace-packages=true +provenance=true diff --git a/.nvmrc b/.nvmrc index eb800ed459..b8e593f521 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -v18.19.0 +20.15.1