Setup npm provenance statements (#5406)

* give publish job permissions for npm provenance * add `—provenance` flag to `npm publish` * remove unneeded `contents` permission
video-dev · Apr 20, 2023 · a9afcd5 · a9afcd5
1 parent ebd7993
commit a9afcd5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -266,6 +266,8 @@ jobs:
     needs: [config, test_unit]
     if: needs.config.outputs.tag || needs.config.outputs.isMainBranch == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 

diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
@@ -6,7 +6,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
   # see https://docs.npmjs.com/private-modules/ci-server-config
   echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
   if [[  -z "$TAG" ]]; then
-    npm publish --tag canary
+    npm publish --provenance --tag canary
     echo "Published canary."
     curl https://purge.jsdelivr.net/npm/hls.js@canary
     curl https://purge.jsdelivr.net/npm/hls.js@canary/dist/hls-demo.js
@@ -19,7 +19,7 @@ if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
       exit 1
     fi
     echo "Publishing tag: ${tag}"
-    npm publish --tag "${tag}"
+    npm publish --provenance --tag "${tag}"
     curl "https://purge.jsdelivr.net/npm/hls.js@${tag}"
     echo "Published."
   fi