chore: Publish to NPM with provenance#2276
Merged
profnandaa merged 2 commits intovalidatorjs:masterfrom Apr 27, 2024
meyfa:patch-1
Merged
chore: Publish to NPM with provenance#2276profnandaa merged 2 commits intovalidatorjs:masterfrom meyfa:patch-1
profnandaa merged 2 commits intovalidatorjs:masterfrom
meyfa:patch-1
Conversation
The release process in this repository is already automated via GitHub Actions, which is a great first step toward creating trust in the supply chain. Recently, NPM has started to support publishing with the `--provenance` flag. This flag creates a link between the GitHub Actions run that created the release and the final artifact on NPM. This linkage further ensures that package installs can be traced back to a specific code revision. For more information on publishing with provenance, please refer to: https://github.blog/2023-04-19-introducing-npm-package-provenance/
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## master #2276 +/- ##
=======================================
Coverage 99.95% 99.95%
=======================================
Files 107 107
Lines 2454 2454
Branches 619 619
=======================================
Hits 2453 2453
Partials 1 1 ☔ View full report in Codecov by Sentry. |
WikiRik
reviewed
Aug 26, 2023
Member
WikiRik
left a comment
WikiRik
left a comment
There was a problem hiding this comment.
Do we need to set up anything different than now? Like refreshing the NPM token with different permissions. Or is it all set up, ready to go already since we publish to NPM?
Contributor
Author
|
@WikiRik This is all that's needed. NPM and GitHub Actions handles the rest automatically. |
Contributor
Author
|
Please also refer to the following page if in doubt: https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions |
WikiRik
approved these changes
Aug 26, 2023
profnandaa
approved these changes
Apr 27, 2024
This was referenced Sep 20, 2024
This was referenced Sep 22, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
chore: Publish to NPM with provenance
The release process in this repository is already automated via GitHub Actions, which is a great first step toward creating trust in the supply chain. Recently, NPM has started to support publishing with the
--provenanceflag. This flag creates a link between the GitHub Actions run that created the release and the final artifact on NPM. This linkage further ensures that package installs can be traced back to a specific code revision.For more information on publishing with provenance, please refer to: https://github.blog/2023-04-19-introducing-npm-package-provenance/
Note that the update of Node.js to v18 is required for NPM v9.5+ to be installed, which is needed for provenance.
Checklist