-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Adding provenance publish config #1127
Conversation
Hello! 👋 This repository uses Auto for releasing packages using PR labels. ✨ This PR can be merged but will not trigger a new release. To trigger a new release add the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 🚀
@@ -186,6 +186,9 @@ jobs: | |||
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} | |||
NX_BRANCH: ${{ github.event.number || github.ref_name }} | |||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |||
permissions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jackw I've added this because I assume it will be required. fyi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the docs we do need to set the id-token
. However are we using this github token or the github-app-token
further down?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My assumption is that they are a bit different and it needs the specific id-token. I guess we will see once we run it :)
What this PR does / why we need it:
Linking npm package builds better to source code and CI builds using sigstore.
More context in: https://docs.npmjs.com/generating-provenance-statements
I don't think we have to force publishing new versions just because of this change. I would rather just wait for regular releases to happen to those packages after this change is merged.