diff --git a/workspaces/libnpmpublish/lib/publish.js b/workspaces/libnpmpublish/lib/publish.js index 353688a10eac1..3f70a30bd8b50 100644 --- a/workspaces/libnpmpublish/lib/publish.js +++ b/workspaces/libnpmpublish/lib/publish.js @@ -141,15 +141,23 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => { digest: { sha512: integrity.sha512[0].hexDigest() }, } - // Ensure that we're running in GHA and an OIDC token is available, - // currently the only supported build environment - if (ciInfo.name !== 'GitHub Actions' || !process.env.ACTIONS_ID_TOKEN_REQUEST_URL) { + // Ensure that we're running in GHA, currently the only supported build environment + if (ciInfo.name !== 'GitHub Actions') { throw Object.assign( new Error('Automatic provenance generation not supported outside of GitHub Actions'), { code: 'EUSAGE' } ) } + // Ensure that the GHA OIDC token is available + if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) { + throw Object.assign( + /* eslint-disable-next-line max-len */ + new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'), + { code: 'EUSAGE' } + ) + } + const visibility = await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts) if (!visibility.public && opts.provenance === true && opts.access !== 'public') { diff --git a/workspaces/libnpmpublish/test/publish.js b/workspaces/libnpmpublish/test/publish.js index 6daaeefc2c61b..d64952c189403 100644 --- a/workspaces/libnpmpublish/test/publish.js +++ b/workspaces/libnpmpublish/test/publish.js @@ -784,7 +784,7 @@ t.test('automatic provenance in unsupported environment', async t => { mockGlobals(t, { 'process.env': { CI: false, - GITHUB_ACTIONS: false, + GITHUB_ACTIONS: undefined, }, }) const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') }) @@ -806,3 +806,31 @@ t.test('automatic provenance in unsupported environment', async t => { } ) }) + +t.test('automatic provenance with incorrect permissions', async t => { + mockGlobals(t, { + 'process.env': { + CI: false, + GITHUB_ACTIONS: true, + ACTIONS_ID_TOKEN_REQUEST_URL: undefined, + }, + }) + const { publish } = t.mock('..', { 'ci-info': t.mock('ci-info') }) + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + access: null, + provenance: true, + }), + { + message: /requires "write" access/, + code: 'EUSAGE', + } + ) +})