build: Add provenence flag when publishing jsapi-types (#5204)

- .npmrc file is not getting used with how we publish (building the tarball first and then publishing from a different directory) - Adding the --provenance flag should generate the provenance statements automatically: https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions - This _should_ work even publishing from the tarball, as the provenance info is generated after the tarball is created: https://github.com/npm/provenance?tab=readme-ov-file#demo-generating-signed-slsa-provenance
deephaven · Mar 6, 2024 · 1c1b4b2 · 1c1b4b2
1 parent b01510b
commit 1c1b4b2
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/.github/workflows/publish-ci.yml b/.github/workflows/publish-ci.yml
@@ -113,5 +113,5 @@ jobs:
         if: ${{ startsWith(github.ref, 'refs/heads/release/v') }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.DEEPHAVENBOT_NPM_TOKEN }}
-        run: npm publish --tag latest web/client-api/types/build/deephaven-jsapi-types-*.tgz
+        run: npm publish --provenance --tag latest web/client-api/types/build/deephaven-jsapi-types-*.tgz
         continue-on-error: true
diff --git a/web/client-api/types/.npmrc b/web/client-api/types/.npmrc
@@ -1,2 +1 @@
 engine-strict=true
-provenance=true