fix(publish): gate --provenance on GITHUB_ACTIONS to unbreak local runs

jdalton · jdalton · commit 07c19efbcad8 · 2026-04-19T17:47:25.000-04:00
`npm publish --provenance` requires the GitHub Actions OIDC
id-token endpoint — running the script locally (non-dry-run) fails
with "Provenance generation in GitHub Actions requires
'id-token: write' permission".

Guarded the flag behind `process.env.GITHUB_ACTIONS === 'true'` so
local emergency publishes still work. CI runs unchanged.

Same fix landed in stuie + socket-registry + socket-packageurl-js
in parallel commits.
diff --git a/scripts/publish.mts b/scripts/publish.mts
@@ -270,8 +270,12 @@ async function publishPackage(options: PublishOptions = {}): Promise<boolean> {
   // Prepare publish args.
   const publishArgs = ['publish', '--access', access, '--tag', tag]
 
-  // Add provenance by default (works with trusted publishers).
-  if (!dryRun) {
+  // Add provenance attestation in CI only. `npm publish --provenance`
+  // requires the GitHub Actions OIDC id-token endpoint; running locally
+  // fails with "Provenance generation in GitHub Actions requires
+  // 'id-token: write' permission". Gated so local non-dry-run publishes
+  // (emergency cases) still work.
+  if (!dryRun && process.env['GITHUB_ACTIONS'] === 'true') {
     publishArgs.push('--provenance')
   }
 
