feat(publish): use provenance for npm publishing (#476)

prisma · Nov 13, 2023 · ab791d5 · ab791d5
1 parent 6cb19ae
commit ab791d5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/.github/workflows/dry-publish.yml b/.github/workflows/dry-publish.yml
@@ -29,11 +29,13 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          node-version: '20'
 
       - run: bash .github/workflows/setup.sh
 
       - run: pnpm run publish-all --dry
         id: publish_script
         env:
           GITHUB_EVENT_CLIENT_PAYLOAD: '{"branch": "main", "commit": "e2942655e5370b20e0b3942f4717c2a302b0b620"}'
+          # https://docs.npmjs.com/generating-provenance-statements
+          NPM_CONFIG_PROVENANCE: true
diff --git a/.github/workflows/publish-engines.yml b/.github/workflows/publish-engines.yml
@@ -14,6 +14,10 @@ jobs:
     name: 'Publish engines-wrapper packages for prisma-engines branch ${{ github.event.client_payload.branch }} and commit ${{ github.event.client_payload.commit }}'
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      # required for publishing to npm with --provenance
+      # see https://docs.npmjs.com/generating-provenance-statements
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -25,7 +29,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '16'
+          node-version: '20'
 
       - run: bash .github/workflows/setup.sh
         env:
@@ -37,6 +41,8 @@ jobs:
         env:
           CI: true
           GITHUB_EVENT_CLIENT_PAYLOAD: ${{ toJson(github.event.client_payload) }}
+          # https://docs.npmjs.com/generating-provenance-statements
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Workflow dispatch to prisma/prisma-engines for @prisma/prisma-schema-wasm publish to npm
         uses: benc-uk/workflow-dispatch@v1