Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add npm provenance to npm package #2205

Merged
merged 2 commits into from
Oct 11, 2023
Merged

Add npm provenance to npm package #2205

merged 2 commits into from
Oct 11, 2023

Conversation

jailln
Copy link
Contributor

@jailln jailln commented Oct 11, 2023

Description

Add npm provenance to npm published packages. npm provenance is only available as of npm cli 9.5.0+ so I also updated the deployment workflow node version from 16 to 18.

Tested on my fork (with publication on my npm account).

Motivation and Context

Use a newly introduced npm feature and explicitely link our npm releases to this repository and to the commit it was created from.

Closes #1963

Screenshots (if appropriate)

image

@jailln jailln mentioned this pull request Oct 11, 2023
Merged
Desplandis
Desplandis approved these changes Oct 11, 2023
View reviewed changes
Copy link
Contributor

@Desplandis Desplandis left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay to me. I added a comment to request an explanation of the behavior of the id-token permission.

.github/workflows/integration.yml
Comment on lines +144 to +145
permissions:
id-token: write
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason we need to elevate permission on id-token? According to npm provenance documentation, this seems mandatory to authenticate the action with its GITHUB_TOKEN. But can't find a documentation of the behavior of id_token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't get into the details of the id-token permission, I followed the npm provenance doc that said to add it. You can find the documentation about id-token here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I understand the rationale now!

Ready To Merge then!

@Desplandis Desplandis removed the request for review from mgermerie October 11, 2023 15:17
@Desplandis Desplandis merged commit cb29ab6 into iTowns:master Oct 11, 2023
7 checks passed
@jailln jailln mentioned this pull request Oct 12, 2023
Merged
@jailln jailln deleted the chore/npm-provenance branch October 16, 2023 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Desplandis Desplandis Desplandis approved these changes

Assignees

@jailln jailln

@mgermerie mgermerie

@Desplandis Desplandis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Explicit link between itowns next version and associated PR
3 participants
@jailln @Desplandis @mgermerie