Skip to content

Commit b2deb1b

Browse files
committed
Enable provenance for npm publishing
This adds the `--provenance` flag to `npm publish` commands in both production and RC release workflows. This enhances supply chain security by attaching verifiable build information to published packages.
1 parent cb614d8 commit b2deb1b

2 files changed

Lines changed: 2 additions & 2 deletions

File tree

.github/workflows/production-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ jobs:
178178
NODE_AUTH_TOKEN: ''
179179
run: |
180180
echo "Publishing version $VERSION to npm..."
181-
npm publish
181+
npm publish --provenance
182182
echo "Published $VERSION to npm"
183183
184184
- name: Dry-run publish

.github/workflows/rc-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -484,7 +484,7 @@ jobs:
484484
if: ${{ needs.validate-release.outputs.is_dry_run != 'true' }}
485485
env:
486486
NODE_AUTH_TOKEN: ''
487-
run: npm publish --tag rc
487+
run: npm publish --tag rc --provenance
488488

489489
# ===========================================================================
490490
# Create Pre-Release Tag

0 commit comments

Comments
 (0)